diff --git a/.chainsaw.yaml b/.chainsaw.yaml new file mode 100755 index 000000000000..993fec47cdd5 --- /dev/null +++ b/.chainsaw.yaml @@ -0,0 +1,15 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + name: configuration +spec: + timeouts: + assert: 90s + error: 90s + parallel: 1 + fullName: true + failFast: true + excludeTestRegex: '_.+' + forceTerminationGracePeriod: 5s + delayBeforeCleanup: 3s + template: false diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 000000000000..8a9648b5e872 --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,34 @@ +FROM ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30 + +RUN apt-get update && apt-get install -y sudo git curl apt-transport-https ca-certificates gnupg-agent software-properties-common +ARG USERNAME=root +RUN echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \ + && chmod 0440 /etc/sudoers.d/$USERNAME + +# Install Golang +RUN ARCH="$(dpkg --print-architecture)"; \ + curl -LO https://dl.google.com/go/go1.21.3.linux-$ARCH.tar.gz \ + && tar -C /usr/local -xzf go1.21.3.linux-$ARCH.tar.gz \ + && rm go1.21.3.linux-$ARCH.tar.gz \ + && echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile + +# Install Docker +# Install Docker +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg +RUN echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \ + $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null +RUN apt-get update && apt-get install -y docker-ce docker-ce-cli containerd.io + +# Install kubectl and Minikube +RUN ARCH="$(dpkg --print-architecture)"; \ + curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/$ARCH/kubectl \ + && chmod +x kubectl && mv kubectl /usr/local/bin/ \ + && curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-$ARCH \ + && install minikube-linux-$ARCH /usr/local/bin/minikube \ + && minikube config set driver docker + +# Expose ports for Minikube and Docker +EXPOSE 22 80 2375 8443 + +CMD ["/bin/bash"] diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 000000000000..bb232e55a33c --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,10 @@ +// See https://containers.dev/implementors/json_reference/ for configuration reference +{ + "name": "Kyverno", + "build": { + "dockerfile": "Dockerfile" + }, + "remoteUser": "root", + "mounts": ["source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind"], + "runArgs": ["--privileged", "--network=host", "-p", "22:22", "-p", "80:80", "-p", "2375:2375", "-p", "8443:8443"] +} \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/bug-cli.yaml b/.github/ISSUE_TEMPLATE/bug-cli.yaml index f02debc85267..0b151db7e67a 100644 --- a/.github/ISSUE_TEMPLATE/bug-cli.yaml +++ b/.github/ISSUE_TEMPLATE/bug-cli.yaml @@ -14,18 +14,6 @@ body: description: >- What version of the Kyverno CLI are you running (`kyverno version`)? options: - - 1.4.x - - 1.5.x - - 1.6.0 - - 1.6.1 - - 1.6.2 - - 1.6.3 - - 1.7.0 - - 1.7.1 - - 1.7.2 - - 1.7.3 - - 1.7.4 - - 1.7.5 - 1.8.0 - 1.8.1 - 1.8.2 @@ -33,6 +21,30 @@ body: - 1.8.4 - 1.8.5 - 1.9.0 + - 1.9.1 + - 1.9.2 + - 1.9.3 + - 1.9.4 + - 1.9.5 + - 1.10.0 + - 1.10.1 + - 1.10.2 + - 1.10.3 + - 1.10.4 + - 1.10.5 + - 1.10.6 + - 1.11.0 + - 1.11.1 + - 1.11.2 + - 1.11.3 + - 1.11.4 + - 1.11.5 + - 1.12.0 + - 1.12.1 + - 1.12.2 + - 1.12.3 + - 1.12.4 + - 1.12.5 validations: required: true - type: textarea @@ -84,7 +96,7 @@ body: description: >- Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks. Kyverno CLI logs may be found by passing the -v flag to any command. - render: shell + render: Shell - type: input id: slack attributes: diff --git a/.github/ISSUE_TEMPLATE/bug-other.yaml b/.github/ISSUE_TEMPLATE/bug-other.yaml index 287cb01877ed..ea3af73841f5 100644 --- a/.github/ISSUE_TEMPLATE/bug-other.yaml +++ b/.github/ISSUE_TEMPLATE/bug-other.yaml @@ -13,18 +13,6 @@ body: label: Kyverno Version description: What version of Kyverno are you running? options: - - 1.4.x - - 1.5.x - - 1.6.0 - - 1.6.1 - - 1.6.2 - - 1.6.3 - - 1.7.0 - - 1.7.1 - - 1.7.2 - - 1.7.3 - - 1.7.4 - - 1.7.5 - 1.8.0 - 1.8.1 - 1.8.2 @@ -32,6 +20,30 @@ body: - 1.8.4 - 1.8.5 - 1.9.0 + - 1.9.1 + - 1.9.2 + - 1.9.3 + - 1.9.4 + - 1.9.5 + - 1.10.0 + - 1.10.1 + - 1.10.2 + - 1.10.3 + - 1.10.4 + - 1.10.5 + - 1.10.6 + - 1.11.0 + - 1.11.1 + - 1.11.2 + - 1.11.3 + - 1.11.4 + - 1.11.5 + - 1.12.0 + - 1.12.1 + - 1.12.2 + - 1.12.3 + - 1.12.4 + - 1.12.5 validations: required: true - type: textarea diff --git a/.github/ISSUE_TEMPLATE/bug-webhook.yaml b/.github/ISSUE_TEMPLATE/bug-webhook.yaml index fe8cfbbf4c41..e4ba65808bc1 100644 --- a/.github/ISSUE_TEMPLATE/bug-webhook.yaml +++ b/.github/ISSUE_TEMPLATE/bug-webhook.yaml @@ -13,18 +13,6 @@ body: label: Kyverno Version description: What version of Kyverno are you running? options: - - 1.4.x - - 1.5.x - - 1.6.0 - - 1.6.1 - - 1.6.2 - - 1.6.3 - - 1.7.0 - - 1.7.1 - - 1.7.2 - - 1.7.3 - - 1.7.4 - - 1.7.5 - 1.8.0 - 1.8.1 - 1.8.2 @@ -32,6 +20,30 @@ body: - 1.8.4 - 1.8.5 - 1.9.0 + - 1.9.1 + - 1.9.2 + - 1.9.3 + - 1.9.4 + - 1.9.5 + - 1.10.0 + - 1.10.1 + - 1.10.2 + - 1.10.3 + - 1.10.4 + - 1.10.5 + - 1.10.6 + - 1.11.0 + - 1.11.1 + - 1.11.2 + - 1.11.3 + - 1.11.4 + - 1.11.5 + - 1.12.0 + - 1.12.1 + - 1.12.2 + - 1.12.3 + - 1.12.4 + - 1.12.5 validations: required: true - type: dropdown @@ -40,13 +52,15 @@ body: label: Kubernetes Version description: What version of Kubernetes are you running? options: - - 1.20.x - 1.21.x - 1.22.x - 1.23.x - 1.24.x - 1.25.x - 1.26.x + - 1.27.x + - 1.28.x + - 1.29.x validations: required: true - type: dropdown @@ -61,6 +75,7 @@ body: - KinD - Minikube - K3d + - K3s - OpenShift - VMware Tanzu (specify in description) - Bare metal @@ -133,7 +148,7 @@ body: This will be automatically formatted into code, so no need for backticks. For help on how to view Pod logs in Kubernetes, see [here](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-running-pod/#examine-pod-logs). For guidance on how to enable more verbose log output in Kyverno, see [the documentation](https://kyverno.io/docs/troubleshooting/#policies-are-partially-applied). - render: shell + render: Shell - type: input id: slack attributes: diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 2ca959acb415..a620319a5359 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -25,6 +25,13 @@ Add the milestone label by commenting `/milestone 1.2.3`. --> +## Documentation (required for features) + +My PR contains new or altered behavior to Kyverno. +- [ ] I have sent the draft PR to add or update [the documentation](https://github.com/kyverno/website) and the link is: + + + ## What type of PR is this - - - [ ] I have raised an issue in [kyverno/website](https://github.com/kyverno/website) to track the documentation update and the link is: - - ## Further Comments diff --git a/.github/actions/kyverno-logs/action.yaml b/.github/actions/kyverno-logs/action.yaml index f03b4a5827c0..10ccde215621 100644 --- a/.github/actions/kyverno-logs/action.yaml +++ b/.github/actions/kyverno-logs/action.yaml @@ -9,15 +9,14 @@ runs: run: | kubectl get mutatingwebhookconfigurations kubectl get validatingwebhookconfigurations + kubectl auth can-i --list --as system:serviceaccount:kyverno:kyverno-background-controller - shell: bash run: | kubectl -n kyverno get pod kubectl -n kyverno describe pod | grep -i events -A10 - shell: bash run: | - kubectl -n kyverno logs deploy/kyverno --all-containers -p || true - kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers -p || true - - shell: bash - run: | - kubectl -n kyverno logs deploy/kyverno --all-containers + kubectl -n kyverno logs deploy/kyverno-admission-controller --all-containers + kubectl -n kyverno logs deploy/kyverno-background-controller --all-containers + kubectl -n kyverno logs deploy/kyverno-reports-controller --all-containers kubectl -n kyverno logs deploy/kyverno-cleanup-controller --all-containers diff --git a/.github/actions/kyverno-wait-ready/action.yaml b/.github/actions/kyverno-wait-ready/action.yaml index 0cbe8bce68d7..edf36e34981d 100644 --- a/.github/actions/kyverno-wait-ready/action.yaml +++ b/.github/actions/kyverno-wait-ready/action.yaml @@ -7,4 +7,4 @@ runs: steps: - shell: bash run: | - kubectl wait --namespace kyverno --for=condition=ready pod --all --timeout=60s + kubectl wait --namespace kyverno --for=condition=ready pod --selector '!job-name' --timeout=60s diff --git a/.github/actions/publish-image/action.yaml b/.github/actions/publish-image/action.yaml new file mode 100644 index 000000000000..368531c18607 --- /dev/null +++ b/.github/actions/publish-image/action.yaml @@ -0,0 +1,88 @@ +name: Publish image + +description: Publishes a docker image, SBOM, scans vulns, and signs the image. + +inputs: + makefile-target: + required: true + description: makefile target to invoke for publishing image with ko + registry: + required: true + description: registry to publish image to + registry-username: + required: true + description: registry credentials username + registry-password: + required: true + description: registry credentials password + repository: + required: true + description: repository to publish image to + version: + required: true + description: published image version + sign-image: + required: true + description: sign image + sbom-name: + required: true + description: name of the cyclonedx sbom + sbom-repository: + required: true + description: sbom repository + signature-repository: + required: true + description: signature repository + main-path: + required: true + description: path to main go entry point + +outputs: + digest: + value: ${{ steps.digest.outputs.digest }} + description: published image digest + +runs: + using: composite + steps: + - shell: bash + id: ko-publish + env: + REGISTRY: ${{ inputs.registry }} + REPO: ${{ inputs.repository }} + REGISTRY_PASSWORD: ${{ inputs.registry-password }} + COSIGN_REPOSITORY: ${{ inputs.sbom-repository }} + run: | + set -e + echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT + - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0 + with: + version: v1 + args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }} + - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: ${{ inputs.sbom-name }}-bom-cdx + path: ${{ inputs.sbom-name }}-bom.cdx.json + - shell: bash + if: ${{ inputs.sign-image == 'true' }} + env: + COSIGN_REPOSITORY: ${{ inputs.signature-repository }} + run: | + set -e + cosign sign --yes \ + -a "repo=${{ github.repository }}" \ + -a "workflow=${{ github.workflow }}" \ + -a "ref=${{ github.sha }}" \ + ${{ steps.ko-publish.outputs.digest }} + - shell: bash + env: + COSIGN_REPOSITORY: ${{ inputs.sbom-repository }} + run: | + cosign attach sbom --sbom ./${{ inputs.sbom-name }}-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }} + - shell: bash + id: digest + run: | + echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}" + DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2) + echo "Digest from image is: $DIGEST" + echo "digest=$DIGEST" >> $GITHUB_OUTPUT diff --git a/.github/actions/setup-build-env/action.yaml b/.github/actions/setup-build-env/action.yaml index a9b7f0b7a01a..40dea8c9b8b7 100644 --- a/.github/actions/setup-build-env/action.yaml +++ b/.github/actions/setup-build-env/action.yaml @@ -6,32 +6,29 @@ inputs: unshallow: description: git unshallow default: 'true' - build-cache-key: - description: build cache prefix + free-disk-space: + description: free disk space + default: 'true' runs: using: composite steps: + - uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0 + if: ${{ inputs.free-disk-space == 'true' }} + with: + tool-cache: true + android: true + dotnet: true + haskell: true + large-packages: false + swap-storage: false - shell: bash if: ${{ inputs.unshallow == 'true' }} run: | git fetch --prune --unshallow - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: ~1.19.4 - - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 - with: - path: ~/go/pkg/mod - key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} - - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 - with: - path: ~/.cache/kyverno/tools - key: ${{ runner.os }}-cache-kyverno-tools-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} - - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 - if: ${{ inputs.build-cache-key }} - with: - path: ~/.cache/go-build - key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} + go-version: ~1.22.4 - shell: bash run: | go mod download diff --git a/.github/actions/setup-caches/action.yaml b/.github/actions/setup-caches/action.yaml new file mode 100644 index 000000000000..99be71523404 --- /dev/null +++ b/.github/actions/setup-caches/action.yaml @@ -0,0 +1,24 @@ +name: Setup caches + +description: Setup caches for go modules, tools and build cache. + +inputs: + build-cache-key: + description: build cache prefix + +runs: + using: composite + steps: + - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 + with: + path: ~/go/pkg/mod + key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} + - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 + with: + path: ~/.cache/kyverno/tools + key: ${{ runner.os }}-cache-kyverno-tools-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} + - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 + if: ${{ inputs.build-cache-key }} + with: + path: ~/.cache/go-build + key: ${{ runner.os }}-build-cache-${{ inputs.build-cache-key }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} diff --git a/.github/actions/setup-test-env/action.yaml b/.github/actions/setup-test-env/action.yaml index df2404785d0d..e06a4c2baf58 100644 --- a/.github/actions/setup-test-env/action.yaml +++ b/.github/actions/setup-test-env/action.yaml @@ -5,11 +5,23 @@ description: Create kind cluster, deploy kyverno, and wait pods are ready. inputs: version: description: kubernetes version - required: true + default: v1.30.0 + free-disk-space: + description: free disk space + default: 'false' runs: using: composite steps: + - uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0 + if: ${{ inputs.free-disk-space == 'true' }} + with: + tool-cache: true + android: true + dotnet: true + haskell: true + large-packages: false + swap-storage: false - shell: bash run: | export KIND_IMAGE=kindest/node:${{ inputs.version }} diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml deleted file mode 100644 index dd85561c208d..000000000000 --- a/.github/dependabot.yaml +++ /dev/null @@ -1,12 +0,0 @@ -version: 2 -updates: - - package-ecosystem: gomod - directory: / - schedule: - interval: daily - rebase-strategy: disabled - - package-ecosystem: github-actions - directory: / - schedule: - interval: daily - rebase-strategy: disabled diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000000..fbfd4e5966bd --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: / + schedule: + interval: daily + rebase-strategy: disabled + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + rebase-strategy: disabled + - package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: daily + rebase-strategy: disabled diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml index a06d649e995b..185ae3b46d1b 100644 --- a/.github/workflows/check-actions.yaml +++ b/.github/workflows/check-actions.yaml @@ -1,10 +1,13 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Check actions +permissions: {} + on: push: branches: - - 'main' - - 'release*' + - '*' pull_request: branches: - 'main' @@ -15,9 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Ensure SHA pinned actions - uses: zgosalvez/github-actions-ensure-sha-pinned-actions@bd2868d14a756969608c618665394415a238de69 # v2.0.5 + uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b88cd0aad2c36a63e42c71f81cb1958fed95ac87 # v3.0.10 with: # slsa-github-generator requires using a semver tag for reusable workflows. # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators diff --git a/.github/workflows/check-milestone-label.yaml b/.github/workflows/check-milestone-label.yaml new file mode 100644 index 000000000000..724a365d3701 --- /dev/null +++ b/.github/workflows/check-milestone-label.yaml @@ -0,0 +1,32 @@ +name: check-milestone-label + +permissions: {} + +on: + pull_request: + branches: + - 'main' + types: + - opened + - synchronize + - edited + - reopened + - labeled + - unlabeled + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + check_labels: + name: Check milestone label for pull request + runs-on: ubuntu-latest + if: ${{ github.actor != 'dependabot[bot]' }} # dependabot prs do not have to be in milestone + steps: + - name: require milestone label for pull request + uses: docker://agilepathway/pull-request-label-checker:latest + with: + prefix_mode: true + one_of: "milestone" + repo_token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/clean-stale-branches.yaml b/.github/workflows/clean-stale-branches.yaml new file mode 100644 index 000000000000..12d4852d8dff --- /dev/null +++ b/.github/workflows/clean-stale-branches.yaml @@ -0,0 +1,20 @@ +name: Cleanup Stale Branches + +on: + workflow_dispatch: + schedule: + - cron: '0 0 * * *' # This schedule runs the workflow at midnight every day + +jobs: + cleanup-stale-branches: + runs-on: ubuntu-latest + steps: + - name: Cleanup Stale Branches + uses: cbrgm/cleanup-stale-branches-action@3a038290b56a3936cb9666a3f48adb3b6af7e583 # v1.1.20 + with: + token: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository }} + allowed-prefixes: "dependabot/,temp-cherry-pick-,cherry-pick-" + last-commit-age-days: 7 + dry-run: false + rate-limit: true diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml index f2e9b8a06a81..a09dc4832a24 100644 --- a/.github/workflows/cli.yaml +++ b/.github/workflows/cli.yaml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: cli +permissions: {} + on: push: branches: @@ -14,34 +18,69 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: cli-test: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true with: build-cache-key: cli-test + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: Setup TEST_GIT_BRANCH run: | if [[ ${{ github.event_name }} == "push" ]] then - export TEST_GIT_BRANCH=${GITHUB_REF##*/} + echo "TEST_GIT_BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV elif [[ ${{ github.event_name }} == "pull_request" ]] then - export TEST_GIT_BRANCH=${{ github.event.pull_request.base.ref }} + echo "TEST_GIT_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV fi - name: Test CLI run: | - make test-cli + KYVERNO_KUBECTL_VALIDATE=false VERSION=${{ github.ref_name }} make test-cli - name: Test CLI (failures) run: | CLI_PATH=$PWD/cmd/cli/kubectl-kyverno/kubectl-kyverno $CLI_PATH test ./test/cli/test-fail/missing-policy && exit 1 || exit 0 $CLI_PATH test ./test/cli/test-fail/missing-rule && exit 1 || exit 0 $CLI_PATH test ./test/cli/test-fail/missing-resource && exit 1 || exit 0 + + kubectl-validate-cli-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: cli-test + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Setup TEST_GIT_BRANCH + run: | + if [[ ${{ github.event_name }} == "push" ]] + then + echo "TEST_GIT_BRANCH=${GITHUB_REF##*/}" >> $GITHUB_ENV + elif [[ ${{ github.event_name }} == "pull_request" ]] + then + echo "TEST_GIT_BRANCH=${{ github.event.pull_request.base.ref }}" >> $GITHUB_ENV + fi + - name: Test CLI + run: | + VERSION=${{ github.ref_name }} make test-cli + - name: Test CLI (failures) + run: | + CLI_PATH=$PWD/cmd/cli/kubectl-kyverno/kubectl-kyverno + KYVERNO_KUBECTL_VALIDATE=true $CLI_PATH test ./test/cli/test-fail/missing-policy && exit 1 || exit 0 + KYVERNO_KUBECTL_VALIDATE=true $CLI_PATH test ./test/cli/test-fail/missing-rule && exit 1 || exit 0 + KYVERNO_KUBECTL_VALIDATE=true $CLI_PATH test ./test/cli/test-fail/missing-resource && exit 1 || exit 0 diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml index d6fef10f2650..f3c451665d7a 100644 --- a/.github/workflows/codecov.yaml +++ b/.github/workflows/codecov.yaml @@ -1,37 +1,65 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Codecov +permissions: {} + on: push: branches: - - 'main' - - 'release*' + - '*' pull_request: branches: - - 'main' - - 'release*' + - 'main' + - 'release*' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: - codecov: + unit-tests: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: codecov + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + with: + free-disk-space: false + - name: Generate Code Coverage Report + run: make code-cov-report + - name: Upload coverage + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: coverage.out + path: coverage.out + retention-days: 1 + if-no-files-found: error + + upload-to-codecov: + needs: + - unit-tests runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env - with: - build-cache-key: codecov - - name: Generate Code Coverage Report - run: make code-cov-report - - name: Upload Report to Codecov - uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1 - with: - file: ./coverage.out - fail_ci_if_error: true - verbose: true + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Download coverage + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: coverage.out + - name: Upload Report to Codecov + uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 + with: + files: ./coverage.out + fail_ci_if_error: true + verbose: true + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/comment-commands.yaml b/.github/workflows/comment-commands.yaml index 791dbeb6ccca..775552708ee8 100644 --- a/.github/workflows/comment-commands.yaml +++ b/.github/workflows/comment-commands.yaml @@ -1,18 +1,21 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Issue and PR comment commands +permissions: {} + on: issue_comment: types: - created - edited -permissions: - issues: write - pull-requests: write - jobs: execute: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: jpmcb/prow-github-actions@f4d01dd4b13f289014c23fe5a19878a2479cb35b # v1.1.3 with: diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 4ab0aa837f71..bbfdc7d5f024 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -1,35 +1,1036 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Conformance tests +permissions: {} + on: pull_request: branches: - - 'main' - - 'release*' + - "main" + - "release*" concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: - run-conformance: + prepare-images: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: build-images + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + with: + free-disk-space: false + - name: ko build + shell: bash + run: | + set -e + VERSION=${{ github.ref_name }} make docker-save-image-all + - name: upload images archive + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: kyverno.tar + path: kyverno.tar + retention-days: 1 + if-no-files-found: error + + prepare-cli: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: build-cli + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + with: + free-disk-space: false + - name: Build CLI + shell: bash + run: | + set -e + VERSION=${{ github.ref_name }} make build-cli + - name: upload images archive + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: kubectl-kyverno + path: cmd/cli/kubectl-kyverno/kubectl-kyverno + retention-days: 1 + if-no-files-found: error + + standard: + runs-on: ubuntu-latest + permissions: + packages: read strategy: fail-fast: false matrix: - k8s-version: [v1.24.7, v1.25.3, v1.26.0] + config: + - name: standard + values: + - standard + k8s-version: + - name: v1.27 + version: v1.27.13 + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - ^assert$ + - ^autogen$ + - ^background-only$ + - ^cleanup$ + - ^deferred$ + - ^events$ + - ^exceptions$ + - ^filter$ + - ^generate$/^clusterpolicy$ + - ^generate$/^policy$ + - ^generate$/^validation$ + - ^globalcontext$ + - ^lease$ + - ^mutate$ + - ^policy-validation$ + - ^rangeoperators$ + - ^rbac$ + - ^reports$ + - ^validate$ + - ^verify-manifests$ + - ^verifyImages$ + - ^webhooks$ + needs: + - prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + validatingadmissionpolicies-v1alpha1: runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: validating-admission-policies + values: + - standard + - generate-validating-admission-policy + k8s-version: + - name: v1.27 + version: v1.27.13 + tests: + - generate-validating-admission-policy + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: - build-cache-key: run-conformance - - name: Setup test env - uses: ./.github/actions/setup-test-env + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/vap-v1alpha1.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + k8s-version-specific-tests-above-1-28: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: specific-tests-above-1-28 + values: + - standard + - generate-validating-admission-policy + k8s-version: + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - generate-validating-admission-policy + - webhook-configurations + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/vap-v1beta1.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + validatingadmissionpolicies-reports-v1alpha1: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: validating-admission-policy-reports + values: + - standard + - validating-admission-policy-reports + k8s-version: + - name: v1.27 + version: v1.27.13 + tests: + - validating-admission-policy-reports + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/vap-v1alpha1.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + validatingadmissionpolicies-reports-v1beta1: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: validating-admission-policy-reports + values: + - standard + - validating-admission-policy-reports + k8s-version: + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - validating-admission-policy-reports + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/vap-v1beta1.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + force-failure-policy-ignore: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: force-failure-policy-ignore + values: + - standard + - force-failure-policy-ignore + k8s-version: + - name: v1.27 + version: v1.27.13 + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - force-failure-policy-ignore + - rbac + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + ttl: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: ttl + values: + - standard + - ttl + k8s-version: + - name: v1.27 + version: v1.27.13 + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - ttl + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + custom-sigstore: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: custom-sigstore + values: + - standard + - custom-sigstore + k8s-version: + - name: v1.27 + version: v1.27.x + - name: v1.28 + version: v1.28.x + - name: v1.29 + version: v1.29.x + - name: v1.30 + version: v1.30.x + tests: + - custom-sigstore + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install crane + uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e + - name: Install Cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster and setup Sigstore Scaffolding + uses: sigstore/scaffolding/actions/setup@634364a897dff805b1a26ab18abaefe379616785 + with: + version: main + k8s-version: ${{ matrix.k8s-version.version }} + knative-version: "1.10.0" + - name: Create TUF values config map + run: | + set -e + kubectl create namespace kyverno + kubectl -n kyverno create configmap tufvalues --from-literal=TUF_MIRROR=$TUF_MIRROR --from-literal=FULCIO_URL=$FULCIO_URL --from-literal=REKOR_URL=$REKOR_URL --from-literal=CTLOG_URL=$CTLOG_URL --from-literal=ISSUER_URL=$ISSUER_URL + kubectl -n tuf-system get secrets tuf-root -oyaml | sed 's/namespace: .*/namespace: kyverno/' | kubectl create -f - + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: - version: ${{ matrix.k8s-version }} - - name: Test with kuttl - run: make test-kuttl + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # prepare test image + - name: Create test image + shell: bash + run: | + DIGEST=$(crane digest cgr.dev/chainguard/static) + IMAGE_NAME=$(uuidgen | tr "[:upper:]" "[:lower:]") + TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h + crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL + cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json + COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y + echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs + + default: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + config: + - name: default + values: + - default + k8s-version: + - name: v1.27 + version: v1.27.13 + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - rbac + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --test-dir ./${{ matrix.tests }} --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + policy-library: + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + config: + - name: policy-library + values: + - standard + k8s-version: + - name: v1.27 + version: v1.27.13 + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + - name: v1.30 + version: v1.30.0 + tests: + - ^argo$ + - ^aws$ + - ^best-practices$ + - ^castai$ + - ^cert-manager$ + - ^consul$ + - ^external-secret-operator$ + - ^flux$ + - ^istio$ + - ^karpenter$ + - ^kasten$ + - ^kubecost$ + - ^kubeops$ + - ^kubevirt$ + - ^linkerd$ + - ^nginx-ingress$ + - ^openshift$ + - ^other$/^a + - ^other$/^[b-d] + - ^other$/^[e-l] + - ^other$/^[m-q] + - ^other$/^re[c-q] + - ^other$/^res + - ^other$/^[s-z] + - ^pod-security$ + - ^pod-security-cel$ + - ^psa$ + - ^psp-migration$ + # - ^tekton + # - ^traefik + # - ^velero + needs: + - prepare-images + - prepare-cli + name: ${{ matrix.k8s-version.name }} - ${{ matrix.config.name }} - ${{ matrix.tests }} + steps: + - name: Checkout kyverno/kyverno + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout kyverno/policies + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + repository: kyverno/policies + path: policies + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + - name: Download kyverno CLI archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kubectl-kyverno + - name: Install Kyverno CLI + shell: bash + run: | + set -e + chmod +x kubectl-kyverno && mv kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno + echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Install CRDs + run: | + set -e + kubectl apply -f ./policies/.chainsaw/crds + - name: Test with Chainsaw + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd policies + chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --no-color=false + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + monitor-helm-secret-size: + runs-on: ubuntu-latest + permissions: + packages: read + needs: prepare-images + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: run-conformance + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: Create kind cluster + shell: bash + run: | + set -e + make kind-create-cluster + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + make kind-load-image-archive + - name: Install kyverno + shell: bash + run: | + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + - name: Check secret size + shell: bash + run: | + set -e + set -u + SIZE=$(kubectl get secrets -n kyverno sh.helm.release.v1.kyverno.v1 -o jsonpath='{.data.release}' | base64 -d | wc -c | awk '{print $1}') + MAX_ALLOWED=1030000 + if [ "$SIZE" -gt "$MAX_ALLOWED" ]; then + echo "Helm secret size ($SIZE bytes) is above the max allowed ($MAX_ALLOWED bytes)" + exit 1 + else + echo "Helm secret size ($SIZE bytes) is below the max allowed ($MAX_ALLOWED bytes)" + fi + + check-tests: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + tests: + - ^cli$ + needs: + - prepare-cli + name: ${{ matrix.tests }} - chainsaw + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + # install tools + - name: Download kyverno CLI archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kubectl-kyverno + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@82d8e747037f840e0ef9bdd97ecdc617f5535bdc # v0.2.8 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:v1.30.0 + cluster_name: kind + config: ./scripts/config/kind/default.yaml + - name: Install Kyverno CLI + shell: bash + run: | + set -e + chmod +x kubectl-kyverno && mv kubectl-kyverno ./cmd/cli/kubectl-kyverno/kyverno + echo "$PWD/cmd/cli/kubectl-kyverno" >> $GITHUB_PATH + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw && chainsaw test --include-test-regex '^chainsaw$/${{ matrix.tests }}' --config ../../../.chainsaw.yaml + - name: Fix test files + shell: bash + run: | + set -e + KYVERNO_EXPERIMENTAL=true kyverno fix test ./test/cli --save --compress + make verify-cli-tests + + conformance-required-success: + name: conformance-required + needs: + - standard + - ttl + - force-failure-policy-ignore + - validatingadmissionpolicies-v1alpha1 + - k8s-version-specific-tests-above-1-28 + - validatingadmissionpolicies-reports-v1alpha1 + - validatingadmissionpolicies-reports-v1beta1 + - custom-sigstore + - default + - monitor-helm-secret-size + - check-tests + runs-on: ubuntu-latest + if: ${{ success() }} + steps: + - run: ${{ true }} + + conformance-required-failure: + name: conformance-required + needs: + - standard + - ttl + - force-failure-policy-ignore + - validatingadmissionpolicies-v1alpha1 + - k8s-version-specific-tests-above-1-28 + - validatingadmissionpolicies-reports-v1alpha1 + - validatingadmissionpolicies-reports-v1beta1 + - custom-sigstore + - default + - monitor-helm-secret-size + - check-tests + runs-on: ubuntu-latest + if: ${{ failure() || cancelled() }} + steps: + - run: ${{ false }} diff --git a/.github/workflows/devcontainer-build.yaml b/.github/workflows/devcontainer-build.yaml new file mode 100644 index 000000000000..064c2bba4fd6 --- /dev/null +++ b/.github/workflows/devcontainer-build.yaml @@ -0,0 +1,32 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Build devcontainer + +permissions: {} + +on: + pull_request: + branches: + - 'main' + - 'release*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + devcontainer-build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Build devcontainer image + run: docker build .devcontainer + - name: Trivy Scan Image + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 4bae26ca72ec..09bb05332dbd 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: FOSSA +permissions: {} + on: push: branches: @@ -9,25 +13,29 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: fossa-scan: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check secret id: checksecret uses: ./.github/actions/is-defined with: value: ${{ secrets.FOSSA_API_KEY }} + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env if: steps.checksecret.outputs.result == 'true' uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + with: + free-disk-space: false - name: Run FOSSA analysis if: steps.checksecret.outputs.result == 'true' - uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 + uses: fossas/fossa-action@09bcf127dc0ccb4b5a023f6f906728878e8610ba # v1.4.0 with: api-key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml index 4332240ad86f..8edfaa23dc56 100644 --- a/.github/workflows/helm-release.yaml +++ b/.github/workflows/helm-release.yaml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: helm-release +permissions: {} + on: push: tags: @@ -13,16 +17,33 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env uses: ./.github/actions/setup-build-env - - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 + timeout-minutes: 10 + - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.7 - name: Set up chart-testing - uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run chart-testing (lint) - run: ct lint --target-branch=main --check-version-increment=false + run: ct lint --target-branch=main --check-version-increment=false --validate-maintainers=false + + linter-artifacthub: + runs-on: ubuntu-latest + container: + image: artifacthub/ah + options: --user root + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run ah lint + working-directory: ./charts/ + run: ah lint create-release: runs-on: ubuntu-latest @@ -34,19 +55,22 @@ jobs: pages: write steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: Install Helm - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 with: version: v3.10.3 - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - with: - cosign-release: 'v1.13.0' + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Set version run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV @@ -79,14 +103,12 @@ jobs: helm registry login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io - name: Publish OCI Charts - env: - COSIGN_EXPERIMENTAL: 1 run: | for dir in `find charts-tmp -maxdepth 1 -mindepth 1 -type d -print`; do chart=${dir##*/} echo "Found chart: ${chart}" helm package charts-tmp/${chart} --destination .dist helm push .dist/${chart}-*.tgz oci://ghcr.io/${{ github.repository_owner }}/charts |& tee .digest - cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.CR_PAT_ARTIFACTS }} ghcr.io - cosign sign ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') + cosign login --username ${GITHUB_ACTOR} --password ${{ secrets.GITHUB_TOKEN }} ghcr.io + cosign sign --yes ghcr.io/${{ github.repository_owner }}/charts/${chart}@$(cat .digest | awk -F "[, ]+" '/Digest/{print $NF}') done diff --git a/.github/workflows/helm-test.yaml b/.github/workflows/helm-test.yaml index b895c96871e0..a246d3bcd69d 100644 --- a/.github/workflows/helm-test.yaml +++ b/.github/workflows/helm-test.yaml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: helm-test +permissions: {} + on: pull_request: branches: @@ -18,18 +22,44 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: helm-tests - name: Setup build env uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: Setup python - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435 # v4.5.0 + uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 with: python-version: 3.7 - name: Set up chart-testing - uses: helm/chart-testing-action@afea100a513515fbd68b0e72a7bb0ae34cb62aec # v2.3.1 + uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1 - name: Run chart-testing (lint) run: | if [[ $(ct list-changed --target-branch=main) ]]; then - ct lint --target-branch=main --check-version-increment=false + ct lint --target-branch=main --check-version-increment=false --validate-maintainers=false fi + - name: Setup test env + uses: ./.github/actions/setup-test-env + - name: Helm test + run: make helm-test + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs + + linter-artifacthub: + runs-on: ubuntu-latest + container: + image: artifacthub/ah + options: --user root + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run ah lint + working-directory: ./charts/ + run: ah lint diff --git a/.github/workflows/image-build.yaml b/.github/workflows/image-build.yaml deleted file mode 100644 index 63158b25da10..000000000000 --- a/.github/workflows/image-build.yaml +++ /dev/null @@ -1,99 +0,0 @@ -name: image-build -on: - push: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -permissions: - contents: read - packages: write - id-token: write - -jobs: - pre-checks: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env - - name: gofmt check - run: | - if [ "$(gofmt -s -l . | wc -l)" -ne 0 ] - then - echo "The following files were found to be not go formatted:" - gofmt -s -l . - echo "Please run 'make fmt' to go format the above files." - exit 1 - fi - - name: goimports - run: | - if [ "$(goimports -l . | wc -l)" -ne 0 ] - then - echo "The following files were found to have import formatting issues:" - goimports -l -l . - echo "Please run 'make fmt' to go format the above files." - exit 1 - fi - - name: golangci-lint - uses: reviewdog/action-golangci-lint@53f8eabb87b40b1a2c63ec75b0d418bd0f4aa919 # v2.2.2 - - name: Checking unused pkgs using go mod tidy - run: | - make unused-package-check - - build-init-kyverno: - runs-on: ubuntu-latest - needs: pre-checks - steps: - - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env - - name: ko build - run: make ko-build-kyvernopre - - build-kyverno: - runs-on: ubuntu-latest - needs: pre-checks - steps: - - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env - - name: ko build - run: make ko-build-kyverno - - name: Trivy Scan Image - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - build-kyverno-cleanup-controller: - runs-on: ubuntu-latest - needs: pre-checks - steps: - - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env - - name: ko build - run: make ko-build-cleanup-controller - - build-kyverno-cli: - runs-on: ubuntu-latest - needs: pre-checks - steps: - - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env - - name: ko build - run: make ko-build-cli diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml deleted file mode 100644 index 6e64201e3d16..000000000000 --- a/.github/workflows/image.yaml +++ /dev/null @@ -1,56 +0,0 @@ -name: image -on: - push: - branches: - - 'main' - - 'release*' - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -permissions: - contents: read - packages: write - id-token: write - -jobs: - push-init-kyverno: - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-kyvernopre - image_name: kyvernopre - tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} - - push-kyverno: - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-kyverno - image_name: kyverno - tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} - - push-cleanup-controller: - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-cleanup-controller - image_name: cleanup-controller - tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} - - push-kyverno-cli: - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-cli - image_name: kyverno-cli - tag: image - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} diff --git a/.github/workflows/images-build.yaml b/.github/workflows/images-build.yaml new file mode 100644 index 000000000000..90b6b5e45e57 --- /dev/null +++ b/.github/workflows/images-build.yaml @@ -0,0 +1,40 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Build images + +permissions: {} + +on: + push: + branches: + - '*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + build-images: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: build-images + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: ko build + run: VERSION=${{ github.ref_name }} make ko-build-all + - name: Trivy Scan Image + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' diff --git a/.github/workflows/images-publish.yaml b/.github/workflows/images-publish.yaml new file mode 100644 index 000000000000..0a3671f7c71d --- /dev/null +++ b/.github/workflows/images-publish.yaml @@ -0,0 +1,231 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Publish images + +permissions: {} + +on: + push: + branches: + - 'main' + - 'release*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + publish-images: + runs-on: ubuntu-latest + permissions: + packages: write + id-token: write + outputs: + kyverno-digest: ${{ steps.publish-kyverno.outputs.digest }} + kyverno-init-digest: ${{ steps.publish-kyverno-init.outputs.digest }} + background-controller-digest: ${{ steps.publish-background-controller.outputs.digest }} + cleanup-controller-digest: ${{ steps.publish-cleanup-controller.outputs.digest }} + cli-digest: ${{ steps.publish-cli.outputs.digest }} + reports-controller-digest: ${{ steps.publish-reports-controller.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: publish-images + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 30 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Install Cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - name: Publish kyverno + id: publish-kyverno + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-kyverno + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: kyverno + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/kyverno + - name: Publish kyverno-init + id: publish-kyverno-init + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-kyverno-init + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: kyverno-init + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/kyverno-init + - name: Publish background-controller + id: publish-background-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-background-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: background-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/background-controller + - name: Publish cleanup-controller + id: publish-cleanup-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-cleanup-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: cleanup-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/cleanup-controller + - name: Publish cli + id: publish-cli + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-cli + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: cli + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/cli/kubectl-kyverno + - name: Publish reports-controller + id: publish-reports-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-reports-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: reports-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/reports-controller + + generate-kyverno-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyverno + digest: "${{ needs.publish-images.outputs.kyverno-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-kyverno-init-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyvernopre + digest: "${{ needs.publish-images.outputs.kyverno-init-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-background-controller-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/background-controller + digest: "${{ needs.publish-images.outputs.background-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-cleanup-controller-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/cleanup-controller + digest: "${{ needs.publish-images.outputs.cleanup-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-kyverno-cli-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/kyverno-cli + digest: "${{ needs.publish-images.outputs.cli-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-reports-controller-provenance: + needs: publish-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/reports-controller + digest: "${{ needs.publish-images.outputs.reports-controller-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 000000000000..0e678289c3c8 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,47 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + +name: Lint + +permissions: {} + +on: + push: + branches: + - '*' + pull_request: + branches: + - 'main' + - 'release*' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + tests: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: lint + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + - name: golangci-lint + uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v3.7.1 + with: + version: v1.54.2 + skip-cache: true + - name: go fmt check + run: make fmt-check + - name: goimports check + run: make imports-check + - name: Checking unused pkgs using go mod tidy + run: make unused-package-check + - name: Go vet + run: make vet diff --git a/.github/workflows/load-testing.yml b/.github/workflows/load-testing.yml new file mode 100644 index 000000000000..9cbdd9ed74cd --- /dev/null +++ b/.github/workflows/load-testing.yml @@ -0,0 +1,144 @@ +name: Baseline Load Tests + +permissions: {} + +on: + pull_request: + branches: + - "main" + - "release*" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + prepare-images: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: build-images + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + with: + free-disk-space: false + - name: ko build + shell: bash + run: | + set -e + VERSION=${{ github.ref_name }} make docker-save-image-all + - name: upload images archive + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: kyverno.tar + path: kyverno.tar + retention-days: 1 + if-no-files-found: error + + load-test: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.30 + version: v1.30.0 + kyverno-config: + - name: default + values: + - default-with-profiling + - name: stress + values: + - stress-with-profiling + test: + - kyverno-pss + - kyverno-mutate + k6-config: + - vus: 5 + iterations: 100 + - vus: 10 + iterations: 200 + needs: + - prepare-images + name: ${{ matrix.kyverno-config.name }} - ${{ matrix.test }} - ${{ matrix.k6-config.vus }} vus - ${{ matrix.k6-config.iterations }} iterations + steps: + - name: Checkout kyverno/kyverno + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout kyverno/load-testing + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + repository: kyverno/load-testing + path: load-testing + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.kyverno-config.values, ',') }} + make kind-install-kyverno + bash load-testing/k8s/metrics-server/hack.sh + make kind-install-goldilocks + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + - name: Run load tests using K6 + shell: bash + run: | + set -e + KYVERNO_NODE_IP=$(kubectl get nodes -o jsonpath='{.items[?(@.metadata.labels.kubernetes\.io/hostname=="kind-control-plane")].status.addresses[?(@.type=="InternalIP")].address}') + curl http://$KYVERNO_NODE_IP:30950/debug/pprof/heap > heap.pprof + curl "http://$KYVERNO_NODE_IP:30950/debug/pprof/profile?seconds=30" > cpu.pprof 2> curl.tmp & + cd load-testing/k6 + ./start.sh tests/${{ matrix.test }}.js ${{ matrix.k6-config.vus }} ${{ matrix.k6-config.iterations }} + wait %1 || true + # TODO: wait for VPA to stabilize and recommend + kubectl -n kyverno get vpa goldilocks-kyverno-admission-controller -o jsonpath='{.status.recommendation.containerRecommendations[*]}' + - name: Archive load test results + if: failure() + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: load-test-reports + path: load-testing/k6/${{ matrix.test }}.js-${{ matrix.k6-config.vus }}vu-${{ matrix.k6-config.iterations }}it-logs.txt + - name: Archive pprof CPU profiles + if: failure() + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: pprof-cpu-profiles + path: cpu.pprof + - name: Archive pprof HEAP profiles + if: failure() + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: pprof-heap-profiles + path: heap.pprof + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs diff --git a/.github/workflows/nancy.yaml b/.github/workflows/nancy.yaml index 5e009cfac3f4..ba41bb595ac7 100644 --- a/.github/workflows/nancy.yaml +++ b/.github/workflows/nancy.yaml @@ -1,28 +1,76 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Nancy +permissions: {} + on: - push: - branches: - - 'main' - - 'release*' + workflow_dispatch: + schedule: + - cron: '23 2 * * *' # Every day at 02:23 UTC -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + -permissions: - contents: read jobs: - nancy: + nancy-scan: runs-on: ubuntu-latest - name: Nancy + name: nancy-scan steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: WriteGoList - run: go list -json -m all > go.list + run: go list -json -deps ./... > go.list - name: Nancy SAST Scan - uses: sonatype-nexus-community/nancy-github-action@aae196481b961d446f4bff9012e4e3b63d7921a4 # v1.0.2 + uses: sonatype-nexus-community/nancy-github-action@726e338312e68ecdd4b4195765f174d3b3ce1533 # v1.0.3 + with: + output_format: json + output-file: nancy-results.json + - name: Parse scan results + id: parse-results + run: | + if [ -s nancy-results.json ]; then + echo "Vulnerabilities found, creating issue" + echo "results=found" >> $GITHUB_OUTPUT + else + echo "No vulnerabilities found, halting" + echo "results=nothing" >> $GITHUB_OUTPUT + fi + - name: Upload vulnerability scan report + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: steps.parse-results.outputs.results == 'found' + with: + name: nancy-results.json + path: nancy-results.json + if-no-files-found: error + + open-issue: + runs-on: ubuntu-latest + if: needs.nancy-scan.result == 'success' + needs: nancy-scan + permissions: + issues: write + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Download scan results + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: nancy-results.json + - name: Set scan output + id: set-scan-output + run: echo "results=$(cat nancy-results.json | jq -c)" >> $GITHUB_OUTPUT + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + RESULTS: ${{ steps.set-scan-output.outputs.results }} + with: + filename: .github/ISSUE_TEMPLATE/VULN-TEMPLATE.md + \ No newline at end of file diff --git a/.github/workflows/pr-update.yaml b/.github/workflows/pr-update.yaml index 4db8aeaacd72..3a54e0e01cbe 100644 --- a/.github/workflows/pr-update.yaml +++ b/.github/workflows/pr-update.yaml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: PR update +permissions: {} + on: push: branches: @@ -7,28 +11,19 @@ on: - 'release-*' jobs: - checksecret: + autoupdate: runs-on: ubuntu-latest - outputs: - result: ${{ steps.check.outputs.result }} steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check secret - id: check + id: checksecret uses: ./.github/actions/is-defined with: value: ${{ secrets.PR_UPDATE_TOKEN }} - - autoupdate: - needs: [checksecret] - if: needs.checksecret.outputs.result == 'true' - permissions: - pull-requests: write - runs-on: ubuntu-latest - steps: - name: Automatically update PR - uses: adRise/update-pr-branch@437fab6e0ac7d2a668f2c479f64225edd7f303fd # v0.6.0 + if: steps.checksecret.outputs.result == 'true' + uses: adRise/update-pr-branch@5d273948c50bda6275d3a71e26f71c54e18392c1 # v0.8.1 with: token: ${{ secrets.PR_UPDATE_TOKEN }} base: ${{ github.ref_name }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1712077d73ed..a81c461f133b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,245 +1,339 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: releaser +permissions: {} + on: push: tags: - 'v*' jobs: - release-init-kyverno: - permissions: - contents: read - packages: write - id-token: write - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-kyvernopre - image_name: kyvernopre - tag: release - main: cmd/initContainer - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} - - release-kyverno: - permissions: - contents: read - packages: write - id-token: write - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-kyverno - image_name: kyverno - tag: release - main: cmd/kyverno - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} - - release-cleanup-controller: + release-images: + runs-on: ubuntu-latest permissions: - contents: read packages: write id-token: write - uses: ./.github/workflows/reuse.yaml - with: - publish_command: ko-publish-cleanup-controller - image_name: cleanup-controller - tag: release - main: cmd/cleanup-controller - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} + outputs: + kyverno-digest: ${{ steps.release-kyverno.outputs.digest }} + kyverno-init-digest: ${{ steps.release-kyverno-init.outputs.digest }} + background-controller-digest: ${{ steps.release-background-controller.outputs.digest }} + cleanup-controller-digest: ${{ steps.release-cleanup-controller.outputs.digest }} + cli-digest: ${{ steps.release-cli.outputs.digest }} + reports-controller-digest: ${{ steps.release-reports-controller.outputs.digest }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: release-images + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 30 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + - name: Install Cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 + - name: Publish kyverno + id: release-kyverno + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-kyverno + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: kyverno + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/kyverno + - name: Publish kyverno-init + id: release-kyverno-init + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-kyverno-init + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: kyverno-init + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/kyverno-init + - name: Publish background-controller + id: release-background-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-background-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: background-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/background-controller + - name: Publish cleanup-controller + id: release-cleanup-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-cleanup-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: cleanup-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/cleanup-controller + - name: Publish cli + id: release-cli + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-cli + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: cli + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/cli/kubectl-kyverno + - name: Publish reports-controller + id: release-reports-controller + uses: ./.github/actions/publish-image + with: + makefile-target: ko-publish-reports-controller + registry: ghcr.io + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + repository: ${{ github.repository_owner }} + version: ${{ github.ref_name }} + sign-image: true + sbom-name: reports-controller + sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom + signature-repository: ghcr.io/${{ github.repository_owner }}/signatures + main-path: ./cmd/reports-controller - release-kyverno-cli: + generate-kyverno-provenance: + needs: release-images permissions: - contents: read - packages: write - id-token: write - uses: ./.github/workflows/reuse.yaml + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: - publish_command: ko-publish-cli - image_name: kyverno-cli - tag: release - main: cmd/cli/kubectl-kyverno + image: ghcr.io/${{ github.repository_owner }}/kyverno + digest: "${{ needs.release-images.outputs.kyverno-digest }}" + registry-username: ${{ github.actor }} secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.CR_PAT }} + registry-password: ${{ secrets.GITHUB_TOKEN }} - generate-init-kyverno-provenance: - needs: release-init-kyverno + generate-kyverno-init-provenance: + needs: release-images permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read #To read the workflow path. + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ github.repository_owner }}/kyvernopre - digest: "${{ needs.release-init-kyverno.outputs.init-container-digest }}" + digest: "${{ needs.release-images.outputs.kyverno-init-digest }}" registry-username: ${{ github.actor }} secrets: - registry-password: ${{ secrets.CR_PAT }} + registry-password: ${{ secrets.GITHUB_TOKEN }} - generate-kyverno-provenance: - needs: release-kyverno + generate-background-controller-provenance: + needs: release-images permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read #To read the workflow path. + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: - image: ghcr.io/${{ github.repository_owner }}/kyverno - digest: "${{ needs.release-kyverno.outputs.kyverno-digest }}" + image: ghcr.io/${{ github.repository_owner }}/background-controller + digest: "${{ needs.release-images.outputs.background-controller-digest }}" registry-username: ${{ github.actor }} secrets: - registry-password: ${{ secrets.CR_PAT }} + registry-password: ${{ secrets.GITHUB_TOKEN }} generate-cleanup-controller-provenance: - needs: release-cleanup-controller + needs: release-images permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read #To read the workflow path. + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ github.repository_owner }}/cleanup-controller - digest: "${{ needs.release-cleanup-controller.outputs.cleanup-controller-digest }}" + digest: "${{ needs.release-images.outputs.cleanup-controller-digest }}" registry-username: ${{ github.actor }} secrets: - registry-password: ${{ secrets.CR_PAT }} + registry-password: ${{ secrets.GITHUB_TOKEN }} generate-kyverno-cli-provenance: - needs: release-kyverno-cli + needs: release-images permissions: - id-token: write # To sign the provenance. - packages: write # To upload assets to release. - actions: read #To read the workflow path. + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. # NOTE: The container generator workflow is not officially released as GA. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 with: image: ghcr.io/${{ github.repository_owner }}/kyverno-cli - digest: "${{ needs.release-kyverno-cli.outputs.cli-digest }}" + digest: "${{ needs.release-images.outputs.cli-digest }}" + registry-username: ${{ github.actor }} + secrets: + registry-password: ${{ secrets.GITHUB_TOKEN }} + + generate-reports-controller-provenance: + needs: release-images + permissions: + id-token: write # To sign the provenance. + packages: write # To upload assets to release. + actions: read # To read the workflow path. + # NOTE: The container generator workflow is not officially released as GA. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 + with: + image: ghcr.io/${{ github.repository_owner }}/reports-controller + digest: "${{ needs.release-images.outputs.reports-controller-digest }}" registry-username: ${{ github.actor }} secrets: - registry-password: ${{ secrets.CR_PAT }} + registry-password: ${{ secrets.GITHUB_TOKEN }} create-release: runs-on: ubuntu-latest - needs: - - release-init-kyverno - - release-kyverno - - release-cleanup-controller - - release-kyverno-cli + needs: release-images + permissions: + contents: write + id-token: write steps: - - name: Set version - id: version - run: echo "version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env uses: ./.github/actions/setup-build-env - - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # pin@v1.0 - + timeout-minutes: 30 + - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0 + - name: Install Cosign + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Make Release env: - VERSION: ${{ steps.version.outputs.version }} + VERSION: ${{ github.ref_name }} run: | rm -rf release mkdir release make release-notes > release/release-notes.out cat release/release-notes.out - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # pin@v4.1.0 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 with: version: latest - args: release --rm-dist --debug --release-notes=release/release-notes.out + args: release --clean --timeout 90m --debug --release-notes=release/release-notes.out env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} push-and-sign-install-manifest: runs-on: ubuntu-latest + needs: create-release permissions: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for ghcr access - needs: - - create-release steps: - - name: Set version - id: version - run: echo "version=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: Setup Flux CLI - uses: fluxcd/flux2/action@a9f53b4f1aef910fab68f790f7bf5b49c9a1677c # v0.38.3 + uses: fluxcd/flux2/action@896e0fa46d5107a05e953dd0a5261d78a145ec8c # v2.3.0 with: version: 0.35.0 - - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - with: - cosign-release: 'v1.13.0' - + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 - name: Build yaml manifest - run: make codegen-manifest-release - + run: VERSION=${{ github.ref_name }} make codegen-manifest-release - name: Upload install manifest - uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0 + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: .manifest/release.yaml asset_name: install.yaml tag: ${{ github.ref }} - - name: Upload CRD manifest - uses: svenstaro/upload-release-action@2728235f7dc9ff598bd86ce3c274b74f802d2208 # 2.4.0 + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # 2.9.0 with: repo_token: ${{ secrets.GITHUB_TOKEN }} - file: config/crds/*.yaml + file: config/crds/**/*.yaml file_glob: true tag: ${{ github.ref }} - - name: Login to GHCR - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Push manifests to GHCR with Flux env: - CR_PAT_ARTIFACTS: ${{ secrets.CR_PAT_ARTIFACTS }} + CR_PAT_ARTIFACTS: ${{ secrets.GITHUB_TOKEN }} run: | set -e mkdir -p config/.release-manifests cp .manifest/release.yaml config/.release-manifests/install.yaml cd config/.release-manifests/ && \ - flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} \ + flux push artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} \ --path="." \ --source="$(git config --get remote.origin.url)" \ - --revision="${{ steps.version.outputs.version }}/$(git rev-parse HEAD)" - + --revision="${{ github.ref_name }}/$(git rev-parse HEAD)" - name: Sign manifests in GHCR with Cosign - env: - COSIGN_EXPERIMENTAL: 1 run: | - cosign sign ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ steps.version.outputs.version }} + cosign sign --yes ghcr.io/${{ github.repository_owner }}/manifests/kyverno:${{ github.ref_name }} release-cli-via-krew: runs-on: ubuntu-latest - needs: - - create-release + needs: create-release steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: Check Tag id: check-tag run: | @@ -248,4 +342,4 @@ jobs: fi - name: Update new version in krew-index if: steps.check-tag.outputs.match == 'true' - uses: rajatjindal/krew-release-bot@92da038bbf995803124a8e50ebd438b2f37bbbb0 # pin@v0.0.43 + uses: rajatjindal/krew-release-bot@df3eb197549e3568be8b4767eec31c5e8e8e6ad8 # v0.0.46 diff --git a/.github/workflows/report-on-vulnerabilities.yaml b/.github/workflows/report-on-vulnerabilities.yaml index 27d0c470a9a2..aec28c50230d 100644 --- a/.github/workflows/report-on-vulnerabilities.yaml +++ b/.github/workflows/report-on-vulnerabilities.yaml @@ -1,44 +1,85 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: report-on-vulnerabilities + +permissions: {} + on: workflow_dispatch: {} schedule: - cron: '23 2 * * *' # Every day at 02:23 + env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} + jobs: scan: - runs-on: ubuntu-20.04 - permissions: - contents: read + runs-on: ubuntu-latest outputs: results: ${{ steps.parse-results.outputs.results }} - steps: - - name: Scan for vulnerabilities - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0 (Trivy v0.34.0) + steps: + - name: Get Branches Name + id: get-branches + run: | + all_branches=$(curl -s 'https://api.github.com/repos/${{ env.IMAGE_NAME }}/branches?per_page=100' | jq -r '.[].name | select(startswith("release-"))' | sort -rV | head -n 2) + releasebranch1=$(echo "$all_branches" | sed -n 1p) + releasebranch2=$(echo "$all_branches" | sed -n 2p) + + echo "releasebranch1=$releasebranch1" >> $GITHUB_OUTPUT + echo "releasebranch2=$releasebranch2" >> $GITHUB_OUTPUT + + - name: Scan for vulnerabilities in latest image + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0) + with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest format: json ignore-unfixed: false severity: HIGH,CRITICAL - output: scan.json + output: scan1.json + + - name: Scan for vulnerabilities in latest-1 image + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0) + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch1 }} + format: json + ignore-unfixed: false + severity: HIGH,CRITICAL + output: scan2.json + + - name: Scan for vulnerabilities in latest-2 image + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.8.0 (Trivy v0.34.0) + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get-branches.outputs.releasebranch2 }} + format: json + ignore-unfixed: false + severity: HIGH,CRITICAL + output: scan3.json + + - name: Merge scan results + id: merge-results + run: | + jq -s add scan1.json scan2.json scan3.json > scan.json + cat scan.json - name: Parse scan results id: parse-results continue-on-error: true run: | - VULNS=$(cat scan.json | jq '.Results[] | has("Vulnerabilities")') - if echo $VULNS | grep -q 'true'; then - echo "Vulnerabilities found, creating issue" - echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT - else + VULNS=$(cat scan.json | jq '.Results[] | select(.Target=="ko-app/kyverno").Vulnerabilities | length') + if [[ $VULNS -eq 0 ]] + then echo "No vulnerabilities found, halting" echo "results=nothing" >> $GITHUB_OUTPUT + else + echo "Vulnerabilities found, creating issue" + echo "results=found" >> $GITHUB_OUTPUT fi - name: Upload vulnerability scan report - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - if: contains(steps.parse-results.outputs.results, 'SchemaVersion') + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if: steps.parse-results.outputs.results == 'found' with: name: scan.json path: scan.json @@ -46,23 +87,23 @@ jobs: open-issue: runs-on: ubuntu-latest - if: contains(needs.scan.outputs.results, 'SchemaVersion') + if: needs.scan.outputs.results == 'found' needs: scan + permissions: + issues: write steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download scan uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: scan.json - name: Set scan output id: set-scan-output - run: echo "results=$(cat scan.json)" >> $GITHUB_OUTPUT - - uses: JasonEtco/create-an-issue@e27dddc79c92bc6e4562f268fffa5ed752639abd # v2.9.1 + run: echo "results=$(cat scan.json | jq -c)" >> $GITHUB_OUTPUT + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RESULTS: ${{ steps.set-scan-output.outputs.results }} with: - filename: .github/VULN_TEMPLATE.md + filename: .github/ISSUE_TEMPLATE/VULN-TEMPLATE.md diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml deleted file mode 100644 index 2042bfff2349..000000000000 --- a/.github/workflows/reuse.yaml +++ /dev/null @@ -1,192 +0,0 @@ -name: Create Publish and Sign Docker Image - -on: - workflow_call: - inputs: - publish_command: - required: true - type: string - image_name: - required: true - type: string - tag: - required: true - type: string - main: - type: string - secrets: - registry_username: - required: true - registry_password: - required: true - outputs: - init-container-digest: - description: "sha256 digest of kyverno init docker image" - value: ${{ jobs.build.outputs.init-container-digest }} - kyverno-digest: - description: "sha256 digest of kyverno docker image" - value: ${{ jobs.build.outputs.kyverno-digest }} - cleanup-controller-digest: - description: "sha256 digest of cleanup-controller docker image" - value: ${{ jobs.build.outputs.cleanup-controller-digest }} - cli-digest: - description: "sha256 digest of kyverno docker image" - value: ${{ jobs.build.outputs.cli-digest }} - -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - id-token: write - outputs: - init-container-digest: ${{ steps.set-sha256sum-digest.outputs.init-container-digest }} - kyverno-digest: ${{ steps.set-sha256sum-digest.outputs.kyverno-digest }} - cleanup-controller-digest: ${{ steps.set-sha256sum-digest.outputs.cleanup-controller-digest }} - cli-digest: ${{ steps.set-sha256sum-digest.outputs.cli-digest }} - steps: - - name: Checkout release - if: ${{ inputs.tag == 'release'}} - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - with: - fetch-depth: 0 - - - name: Checkout image - if: ${{ inputs.tag == 'image'}} - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - - name: Unshallow - if: ${{ inputs.tag == 'image'}} - run: git fetch --prune --unshallow --tags - - - name: Set up Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 - with: - go-version: ~1.19.4 - - - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - with: - cosign-release: 'v1.13.0' - - - name: Cache Go modules - uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # pin@v3 - with: - path: | - ~/.cache/go-build - ~/go/pkg/mod - /tmp/ko-cache - key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} - restore-keys: | - ${{ runner.os }}-go- - - - name: Run Trivy vulnerability scanner in repo mode - if: ${{inputs.tag == 'release'}} - uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Set Version - if: ${{ inputs.tag == 'release'}} - run: | - echo "KYVERNO_VERSION=$(git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))" >> $GITHUB_ENV - - - name: Generate SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: CycloneDX/gh-gomod-generate-sbom@d4aee0cf5133055dbd98899978246c10c18c440f # v1.1.0 - with: - version: v1 - args: app -licenses -json -output ${{inputs.image_name}}-${{ env.KYVERNO_VERSION }}-bom.cdx.json -main ${{inputs.main}} - - - name: Upload SBOM JSON - if: ${{inputs.tag == 'release'}} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: ${{inputs.image_name}}-bom-cdx - path: ${{inputs.image_name}}-v*-bom.cdx.json - - - name: Extract branch name - if: ${{inputs.tag == 'image'}} - shell: bash - run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" - id: extract_branch - - - name: Check branch - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch != 'main'}} - id: check-branch - run: | - if [[ ${{ steps.extract_branch.outputs.branch }} =~ ^release-[0-9]+\.[0-9]$ ]]; then - echo "match=true" >> $GITHUB_OUTPUT - fi - - - name: ko build dev image - id: ko-publish-dev - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - run: | - set -e - echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}}-dev)" >> $GITHUB_OUTPUT - - - name: ko build release image - id: ko-publish - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - run: | - set -e - echo "digest=$(REGISTRY=ghcr.io REPO=${{ github.repository_owner }} REGISTRY_PASSWORD=${{secrets.registry_password}} make ${{inputs.publish_command}})" >> $GITHUB_OUTPUT - - - name: Sign dev image - if: ${{inputs.tag == 'image' && steps.extract_branch.outputs.branch == 'main'}} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" - run: | - set -e - cosign sign \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ${{ steps.ko-publish-dev.outputs.digest }} - - - name: Sign release-image - if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - env: - COSIGN_EXPERIMENTAL: "true" - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/signatures" - run: | - set -e - cosign sign \ - -a "repo=${{ github.repository }}" \ - -a "workflow=${{ github.workflow }}" \ - -a "ref=${{ github.sha }}" \ - ${{ steps.ko-publish.outputs.digest }} - - - name : Attach SBOM - if: ${{inputs.tag == 'release'}} - env: - COSIGN_REPOSITORY: "ghcr.io/${{ github.repository_owner }}/sbom" - run: cosign attach sbom --sbom ./${{inputs.image_name}}-v*-bom.cdx.json --type cyclonedx ${{ steps.ko-publish.outputs.digest }} - - - name: get sha256sum image digest - if: ${{inputs.tag == 'release' || (inputs.tag == 'image' && steps.check-branch.outputs.match == 'true')}} - id: set-sha256sum-digest - run: | - echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}" - DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2) - echo "Digest from image is: $DIGEST" - if [[ "${{inputs.publish_command}}" = "ko-publish-kyvernopre" ]]; then - echo "init-container-digest=$DIGEST" >> $GITHUB_OUTPUT - elif [[ "${{inputs.publish_command}}" = "ko-publish-kyverno" ]]; then - echo "kyverno-digest=$DIGEST" >> $GITHUB_OUTPUT - elif [[ "${{inputs.publish_command}}" = "ko-publish-cleanup-controller" ]]; then - echo "cleanup-controller-digest=$DIGEST" >> $GITHUB_OUTPUT - else - echo "cli-digest=$DIGEST" >> $GITHUB_OUTPUT - fi diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 853adb449ba7..9a832ab42331 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Scorecards supply-chain security +permissions: {} + on: schedule: - cron: '30 1 * * 6' @@ -19,34 +23,23 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false - - name: Check secret - id: checksecret - uses: ./.github/actions/is-defined - with: - value: ${{ secrets.SCORECARD_READ_TOKEN }} - - name: Setup build env - if: steps.checksecret.outputs.result == 'true' - uses: ./.github/actions/setup-build-env - name: Run analysis - if: steps.checksecret.outputs.result == 'true' - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} publish_results: true - name: Upload artifact - if: steps.checksecret.outputs.result == 'true' - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - if: steps.checksecret.outputs.result == 'true' - uses: github/codeql-action/upload-sarif@515828d97454b8354517688ddc5b48402b723750 # v2.1.38 + uses: github/codeql-action/upload-sarif@29d86d22a34ea372b1bbf3b2dced2e25ca6b3384 # v3.26.1 with: sarif_file: results.sarif diff --git a/.github/workflows/sonarcloud.yaml b/.github/workflows/sonarcloud.yaml index dece6945a081..6d1f3e997af9 100644 --- a/.github/workflows/sonarcloud.yaml +++ b/.github/workflows/sonarcloud.yaml @@ -1,5 +1,9 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Sonarcloud workflow +permissions: {} + on: push: branches: @@ -10,26 +14,30 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: sonarcloud: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check secret id: checksecret uses: ./.github/actions/is-defined with: value: ${{ secrets.SONAR_TOKEN }} + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true - name: Setup build env if: steps.checksecret.outputs.result == 'true' uses: ./.github/actions/setup-build-env + timeout-minutes: 10 + with: + free-disk-space: false - name: SonarCloud Scan if: steps.checksecret.outputs.result == 'true' - uses: sonarsource/sonarcloud-github-action@cb201f3b2d7a38231a8c042dfea4539c8bea180b # v1.8 + uses: sonarsource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 # v2.3.0 env: GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 04374c153f1b..cfa445062ee8 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,10 +1,13 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Tests +permissions: {} + on: push: branches: - - 'main' - - 'release*' + - '*' pull_request: branches: - 'main' @@ -14,31 +17,22 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: tests: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true + with: + build-cache-key: tests - name: Setup build env uses: ./.github/actions/setup-build-env + timeout-minutes: 10 with: - build-cache-key: pre-checks - - name: golangci-lint - uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # pin@v3 - with: - version: v1.48 - skip-cache: true - - name: go fmt check - run: make fmt-check - - name: goimports check - run: make imports-check - - name: Checking unused pkgs using go mod tidy - run: make unused-package-check - - name: Go vet - run: make vet + free-disk-space: false - name: Unit test run: make test-unit diff --git a/.github/workflows/verify-codegen.yaml b/.github/workflows/verify-codegen.yaml index 609c3bdbff99..5447631b4b49 100644 --- a/.github/workflows/verify-codegen.yaml +++ b/.github/workflows/verify-codegen.yaml @@ -1,10 +1,13 @@ +# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json + name: Verify codegen +permissions: {} + on: push: branches: - - 'main' - - 'release*' + - '*' pull_request: branches: - 'main' @@ -14,18 +17,20 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - jobs: verify-codegen: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - - name: Setup build env - uses: ./.github/actions/setup-build-env + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Setup caches + uses: ./.github/actions/setup-caches + timeout-minutes: 5 + continue-on-error: true with: build-cache-key: verify-codegen + - name: Setup build env + uses: ./.github/actions/setup-build-env + timeout-minutes: 10 - name: Verify generated code is up to date run: make verify-codegen diff --git a/.gitignore b/.gitignore index 90fa1bb42ee1..9ffbc0e42c8d 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,11 @@ _output coverage.txt .idea cmd/cli/kubectl-kyverno/kubectl-kyverno -cmd/initContainer/kyvernopre cmd/kyverno/kyverno +cmd/kyverno-init/kyvernopre cmd/cleanup-controller/cleanup-controller +cmd/reports-controller/reports-controller +cmd/background-controller/background-controller /release .DS_Store .tools @@ -16,3 +18,5 @@ cmd/cleanup-controller/cleanup-controller /config/.release .dist .manifest +kyverno.tar.gz +vendor/ diff --git a/.golangci.yml b/.golangci.yml index 2264189f7c01..0382330dd444 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -5,7 +5,6 @@ linters: - bidichk - bodyclose - containedctx - - deadcode - decorder - dogsled - durationcheck @@ -31,19 +30,18 @@ linters: - nosprintfhostport - paralleltest - staticcheck - - structcheck - tenv - thelper - tparallel - typecheck - unconvert - unused - - varcheck - wastedassign - whitespace + - prealloc run: - timeout: 10m + timeout: 15m skip-files: - ".+\\.generated.go" - ".+_test.go" diff --git a/.goreleaser.yml b/.goreleaser.yml index 753b9c939431..90aa933d4f69 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -1,15 +1,20 @@ -project_name: kyverno-cli +project_name: kyverno-cli + before: hooks: - go mod download + builds: - id: kyverno-cli - main: cmd/cli/kubectl-kyverno/main.go + # As mentioned in https://github.com/golang/go/issues/51831, to include build info, we should use go build + # instead of go build main.go here. + # see https://goreleaser.com/customization/builds/ + main: ./cmd/cli/kubectl-kyverno binary: kyverno env: - CGO_ENABLED=0 ldflags: - - -s -w -X github.com/kyverno/kyverno/pkg/version.BuildVersion={{.Version}} -X github.com/kyverno/kyverno/pkg/version.BuildHash={{ .FullCommit }} -X github.com/kyverno/kyverno/pkg/version.BuildTime={{ .Date }} + - -s -w -X github.com/kyverno/kyverno/pkg/version.BuildVersion={{.Version}} goos: - linux - darwin @@ -23,29 +28,47 @@ builds: goarch: s390x - goos: windows goarch: s390x + +signs: + - cmd: cosign + env: + - COSIGN_EXPERIMENTAL=1 + certificate: '${artifact}.pem' + args: + - sign-blob + - --output-certificate=${certificate} + - --output-signature=${signature} + - ${artifact} + - --yes + artifacts: all + output: true + archives: - id: kyverno-cli-archive name_template: |- - kyverno-cli_{{ .Tag }}_{{ .Os }}_{{ .Arch -}} - {{- with .Arm -}} - {{- if (eq . "6") -}}hf - {{- else -}}v{{- . -}} - {{- end -}} - {{- end -}} + kyverno-cli_{{ .Tag }}_{{ .Os }}_ + {{- with .Arch -}} + {{- if eq . "amd64" -}}x86_64{{- else if eq . "386" -}}i386{{- else -}}{{- . -}}{{- end -}} + {{- end -}} + {{- with .Arm -}} + {{- if eq . "6" -}}hf{{- else -}}v{{- . -}}{{- end -}} + {{- end -}} builds: - kyverno-cli format_overrides: - goos: windows format: zip - replacements: - 386: i386 - amd64: x86_64 files: ["LICENSE"] + checksum: - name_template: "checksums.txt" - algorithm: sha256 + name_template: checksums.txt + +source: + enabled: true + release: prerelease: auto + changelog: sort: asc filters: @@ -53,5 +76,3 @@ changelog: - '^docs:' - typo - '^test:' -source: - enabled: true diff --git a/.ko.yaml b/.ko.yaml index e2f6a21bc492..874a581f1ddb 100644 --- a/.ko.yaml +++ b/.ko.yaml @@ -1,11 +1,11 @@ builds: -- id: initContainer - main: ./cmd/initContainer +- id: kyverno + main: ./cmd/kyverno ldflags: - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' -- id: kyverno - main: ./cmd/kyverno +- id: kyverno-init + main: ./cmd/kyverno-init ldflags: - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' @@ -13,3 +13,18 @@ builds: main: ./cmd/cli ldflags: - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' + +- id: cleanup-controller + main: ./cmd/cleanup-controller + ldflags: + - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' + +- id: reports-controller + main: ./cmd/reports-controller + ldflags: + - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' + +- id: background-controller + main: ./cmd/background-controller + ldflags: + - '{{ if index .Env "LD_FLAGS" }}{{ .Env.LD_FLAGS }}{{ end }}' diff --git a/.nancy-ignore b/.nancy-ignore new file mode 100644 index 000000000000..8bde1744cc5d --- /dev/null +++ b/.nancy-ignore @@ -0,0 +1,6 @@ +# golang/k8s.io/apiserver@v0.30.1 +CVE-2020-8561 until=2024-12-30 +# golang/github.com/notaryproject/notation-go@v1.1.1 +CVE-2024-23332 until=2024-12-30 +# golang/github.com/hashicorp/vault/api@v1.14.0 +CVE-2024-2660 until=2024-12-30 diff --git a/.vscode/launch.json b/.vscode/launch.json index f8c9f34ef3cc..915fc15adcb2 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -9,8 +9,78 @@ "program": "${workspaceFolder}/cmd/kyverno", "args": [ "--kubeconfig=${userHome}/.kube/config", - "--serverIP=:9443", + "--serverIP=:9443", + "--backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller", + "-v=2", + "--caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca", + "--tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair", ], + "env": { + "KYVERNO_NAMESPACE": "kyverno", + "KYVERNO_SERVICEACCOUNT_NAME": "kyverno-admission-controller", + "KYVERNO_DEPLOYMENT": "dummy", + "KYVERNO_POD_NAME": "dummy", + "INIT_CONFIG": "kyverno", + "METRICS_CONFIG": "kyverno-metrics", + } + }, + { + "name": "Launch Reports Controller", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${workspaceFolder}/cmd/reports-controller", + "args": [ + "--kubeconfig=${userHome}/.kube/config", + ], + "env": { + "KYVERNO_NAMESPACE": "kyverno", + "KYVERNO_SERVICEACCOUNT_NAME": "kyverno-reports-controller", + "KYVERNO_DEPLOYMENT": "dummy", + "KYVERNO_POD_NAME": "dummy", + "INIT_CONFIG": "kyverno", + "METRICS_CONFIG": "kyverno-metrics", + } + }, + { + "name": "Launch Background Controller", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${workspaceFolder}/cmd/background-controller", + "args": [ + "--kubeconfig=${userHome}/.kube/config", + ], + "env": { + "KYVERNO_NAMESPACE": "kyverno", + "KYVERNO_SERVICEACCOUNT_NAME": "kyverno-background-controller", + "KYVERNO_DEPLOYMENT": "dummy", + "KYVERNO_POD_NAME": "dummy", + "INIT_CONFIG": "kyverno", + "METRICS_CONFIG": "kyverno-metrics", + } + }, + { + "name": "Launch Cleanup Controller", + "type": "go", + "request": "launch", + "mode": "auto", + "program": "${workspaceFolder}/cmd/cleanup-controller", + "args": [ + "--kubeconfig=${userHome}/.kube/config", + "--serverIP=:9443", + "--caSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-ca", + "--tlsSecretName=kyverno-cleanup-controller.kyverno.svc.kyverno-tls-pair", + ], + "env": { + "KYVERNO_NAMESPACE": "kyverno", + "KYVERNO_SERVICEACCOUNT_NAME": "kyverno-cleanup-controller", + "KYVERNO_SVC": "kyverno-cleanup-controller", + "KYVERNO_DEPLOYMENT": "dummy", + "KYVERNO_POD_NAME": "dummy", + "INIT_CONFIG": "kyverno", + "METRICS_CONFIG": "kyverno-metrics", + } }, { "name": "Launch CLI", @@ -18,9 +88,10 @@ "request": "launch", "mode": "auto", "program": "${workspaceFolder}/cmd/cli/kubectl-kyverno", + "cwd": "${workspaceFolder}", "args": [ "test", - "${workspaceFolder}/test/cli/", + "test/cli" ], } ] diff --git a/ADOPTERS.md b/ADOPTERS.md index 0772a227433e..102646149919 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -2,8 +2,7 @@ This is the list of organizations and users that have publicly shared how they are using Kyverno. -💡 **Add your organization by creating a PR or [submitting this form](https://docs.google.com/forms/d/e/1FAIpQLSe1IBSxDFn_iAAq9vd0nQdjKbapvgGyM8j2IX_z4xSCu-OSNg/viewform)** - +💡 **Add your organization by creating a PR or [submitting this form](https://forms.gle/K5CApcBAD5D4H1AG8)** Note: There are several other organizations and users that are unable to publicly share their stories but are active in the Kyverno community. We appreciate all our users and their contributions to making Kyverno a successful CNCF project. @@ -26,9 +25,25 @@ The list of organizations that have publicly shared the usage of Kyverno: | [Techcombank](https://www.techcombank.com.vn/trang-chu) | Use Kyverno to enforce security policies rules, Kubernetes best practices for their internal container based workload on Kubernetes | | [Trendyol](https://www.trendyol.com) | In adoption planning to roll out to hundreds of production clusters using GitOps | | [Rafay Systems](https://rafay.co/) | Platform supports centralized deployment of Kyverno across clusters | -| [Wayfair](https://wayfair.com) | Policy enforcement on managed clusters. Replacement of some in-house mutating webhooks. | +| [Wayfair](https://wayfair.com) | Policy enforcement on managed clusters. Replacement of some in-house mutating webhooks. | +| [Yahoo](https://www.yahoo.com/) | Use Kyverno for mutation, to replace image tags to digest and also for validation for checking freshness of images. | +| [T-Systems](https://www.t-systems.com) | | +| [Red Hat](https://www.redhat.com) | Learn more about Red Hat Advanced Cluster Management for Kubernetes for [Generating Governance Policies Using Kustomize and GitOps](https://cloud.redhat.com/blog/generating-governance-policies-using-kustomize-and-gitops).| +| [DE-CIX](https://www.de-cix.net) | Kyvernos policy enforcement is used to enforce the company's security guidelines. This is done using validation, mutation and generation techniques. | +| [Saxo Bank](https://www.home.saxo/) | We use Kyverno to enforce security and best practises. | +| [Velux](https://www.velux.com/) | We successfully use Kyverno in our clusters for security, best practice enforcement, resource mutation, secret copying and more! | +| [HCS Company](https://www.hcs-company.com/) | Policy enforcement and enabling selfservice for DevOps teams. | +| [Hexagon](https://hexagon.com/) | We leverage Kyverno to robustly enforce security policies. Additionally, as a Kubernetes swiss-knife, Kyverno fills our gap in our GitOps workflow by allowing us to apply complex configurations and customizations which are beyond the native capabilities of Kubernetes operators. | +| [Grover Group GmbH](https://www.grover.com) | We have been using Kyverno to streamline our K8s security standards and also follow industry best practices for running workloads in K8s using policy enforcements. | +| [IITS Consulting](https://iits-consulting.de/) | Security is a piece of cake with Kyverno. Kyverno helped us to implement proper security for different kind of clients (medical/telecommunication/trading...). It solves problems like security enforcement, container image verification, distribution of imagePullSecrets and many more. | +| [LinkedIn](https://www.linkedin.com/) | Policy enforcement on our on-prem Kubernetes clusters. | +| [Groww](https://groww.in/) | We have implemented Kyverno as a part of Auto compliance. We put policies to satisfy CIS Compliance for GKE as well as block anomalies detected by the Red Team. | +| [Spotify](https://www.cncf.io/announcements/2023/11/08/cloud-native-computing-foundation-presents-the-top-end-user-award-to-spotify/) | Spotify uses Kyverno extensively for its admission controller capabilities, including best practices and environment-specific data. | +| [US DoD Platform One](https://p1.dso.mil/) | The US Department of Defense (DoD) Platform One uses Kyverno as its default policy engine for Kubernetes. | +| [Censhare](https://www.censhare.com/) | We use Kyverno in almost all possible areas of security and automation, we call Kyverno as a "Multi-tenancy engine" since we host a multi-tenancy environment for our partners and customers. We have deprecated our own tooling that was complicated and hard to maintain, Thanks to Kyverno. | +| [Coinone](https://coinone.co.kr) | Use Kyverno to enforce security hardening and best practices, and mutate pod specs related to graceful shutdown handling, such as tGPSterminationGracePeriodSeconds and custom preStop script. | +| [Davidson consulting](https://www.davidson.group) | We are using Kyverno mutation policies in our pre-production environment to add default NetworkPolicy and to add labels to OKD resources. | +| [InfraCloud Technologies](https://www.infracloud.io/) | We have successfully implemented Kyverno as a crucial component of our SOC2 compliance, alongside other essential security hardening measures & best practices. Kyverno's policies offer a significantly streamlined implementation process, far exceeding the complexities associated with cloud services. | - - diff --git a/CHANGELOG.md b/CHANGELOG.md index 766a5b44bdc4..ebff98b697ce 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,40 @@ +## v1.13.0 + +### Note + +- Removed deprecated flag `reportsChunkSize`. + +## v1.11.0 + +## v1.11.0-rc.1 + +### Note + +- Added `--tufRoot` and `--tufMirror` flags to configure tuf for custom sigstore deployments. +- Remove description from deprecated fields in CRDs +- Remove CLI `kyverno test manifest ...` commands (replaced by `kyverno create ...`). +- Added `--caSecretName` and `--tlsSecretName` flags to control names of certificate related secrets. +- Added match conditions support in kyverno config map. +- Deprecated flag `--imageSignatureRepository`. Will be removed in 1.12. Use per rule configuration `verifyImages.Repository` instead. +- Added `--aggregateReports` flag for reports controller to enable/disable aggregated reports (default value is `true`). +- Added `--policyReports` flag for reports controller to enable/disable policy reports (default value is `true`). +- Renamed CLI flag `--compact` to `--detailed-results` (and changed default value from `true` to `false`). +- Changed the default value of `--enablePolicyException` from `false` to `true`. + +## v1.10.0 + +## v1.10.0-rc.1 + +### Note + +- Removed `GenerateRequest` CRD. +- Refactored `kyverno` chart, migration instructions are available in chart `README.md`. +- Image references in the json context are not mutated to canonical form anymore, do not assume a registry domain is always present. +- Added support for configuring webhook annotations in the config map through `webhookAnnotations` stanza. +- Added `excludeRoles` and `excludeClusterRoles` support in configuration. +- Added new flag `skipResourceFilters` to reports controller to enable/disable considering resource filters in the background (default value is `true`) +- Removed hardcoded defaults for `excludeGroups` and `excludeUsernames`. They are always read from the config map. + ## v1.9.0-rc.1 ### Note diff --git a/CODEOWNERS b/CODEOWNERS index 7f650c2c5390..c16827d04c99 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,20 +1,19 @@ # Areas of code where @marcelmue always wants to be a reviewer/notified. -/pkg/webhooks @marcelmue -/pkg/policy/mutate @marcelmue -/pkg/engine @marcelmue @vyankyGH -/pkg/kyverno @vyankyGH -/pkg/openapi @vyankyGH -/pkg/policycache @vyankyGH -/pkg/policy/validate @vyankyGH -/test @vyankyGH @chipzoller @eddycharly -/docs @chipzoller -/pkg/registryclient -/api/kyverno/v1 @eddycharly -/pkg/webhooks @prateekpandey14 -/pkg/engine @prateekpandey14 -/pkg/generate @prateekpandey14 -/pkg/policy/generate @prateekpandey14 -/api @prateekpandey14 @eddycharly -/charts @treydock @eddycharly -/pkg/autogen @eddycharly -/pkg/utils @eddycharly +/api @eddycharly @realshuting +/api/kyverno/v1 @eddycharly +/charts @treydock @eddycharly +/docs @chipzoller +/pkg/autogen @eddycharly +/pkg/background @realshuting +/pkg/engine @marcelmue @realshuting @MariamFahmy98 @KhaledEmaraDev +/pkg/event @KhaledEmaraDev +/pkg/globalcontext @KhaledEmaraDev +/pkg/policy/mutate @marcelmue +/pkg/pss @realshuting +/pkg/utils @eddycharly +/pkg/userinfo @realshuting +/pkg/validation @realshuting +/pkg/webhooks @marcelmue @realshuting +/test @chipzoller @eddycharly @realshuting @MariamFahmy98 @KhaledEmaraDev +/pkg/cosign @Vishal-Chdhry +/pkg/notary @Vishal-Chdhry diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 7d3ef13fea21..f8848736e2a9 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,36 +1,6 @@ -# Kyverno Community Code of Conduct v1.0 +# Code of Conduct -## Contributor Code of Conduct +[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the Code of Conduct published and maintained at https://github.com/kyverno/community/blob/main/CODE_OF_CONDUCT.md. + -As contributors and maintainers of this project, and in the interest of fostering -an open and welcoming community, we pledge to respect all people who contribute -through reporting issues, posting feature requests, updating documentation, -submitting pull requests or patches, and other activities. -We are committed to making participation in this project a harassment-free experience for -everyone, regardless of level of experience, gender, gender identity and expression, -sexual orientation, disability, personal appearance, body size, race, ethnicity, age, -religion, or nationality. - -Examples of unacceptable behavior by participants include: - -* The use of sexualized language or imagery -* Personal attacks -* Trolling or insulting/derogatory comments -* Public or private harassment -* Publishing other's private information, such as physical or electronic addresses, without explicit permission -* Other unethical or unprofessional conduct. - -Project maintainers have the right and responsibility to remove, edit, or reject -comments, commits, code, wiki edits, issues, and other contributions that are not -aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers -commit themselves to fairly and consistently applying these principles to every aspect -of managing this project. Project maintainers who do not follow or enforce the Code of -Conduct may be permanently removed from the project team. - -This code of conduct applies both within project spaces and in public spaces -when an individual is representing the project or its community. - -Instances of abusive, harassing, or otherwise unacceptable behavior in Kubernetes may be reported by contacting the project maintainer(s). - -This Code of Conduct is adapted from the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md) and the [Contributor Covenant](https://www.contributor-covenant.org/), [version 1.2.0](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct/). diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 91866b9d9a45..414a239e4b29 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,136 +1,32 @@ -# Contributing Guidelines for Kyverno +# Contributor Guidelines for Kyverno -We welcome all contributions, suggestions, and feedback, so please do not hesitate to reach out! +[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the contributor guidelines published at: https://github.com/kyverno/community/blob/main/CODE_OF_CONDUCT.md. -Before you contribute, please take a moment to review and agree to abide by our community [Code of Conduct](/CODE_OF_CONDUCT.md). +Please review the general guidelines before proceeding further to the project specific information below. -- [Contributing Guidelines for Kyverno](#contributing-guidelines-for-kyverno) - - [Engage with us](#engage-with-us) - - [Ways you can contribute](#ways-you-can-contribute) - - [1. Report issues](#1-report-issues) - - [2. Fix or Improve Documentation](#2-fix-or-improve-documentation) - - [3. Submit Pull Requests](#3-submit-pull-requests) - - [How to Create a PR](#how-to-create-a-pr) - - [Developer Certificate of Origin (DCO) Sign off](#developer-certificate-of-origin-dco-sign-off) - - [Release Processes](#release-processes) +### Fix or Improve Kyverno Documentation -## Engage with us - -The Kyverno website has the most updated information on [how to engage with the Kyverno community](https://kyverno.io/community/) including its maintainers and contributors. - -Join our community meetings to learn more about Kyverno and engage with other contributors. - -## Ways you can contribute - -### 1. Report issues - -Issues to Kyverno help improve the project in multiple ways including the following: - -- Report potential bugs -- Request a feature -- Request a sample policy +The [Kyverno website](https://kyverno.io), like the main Kyverno codebase, is stored in its own [git repo](https://github.com/kyverno/website). To get started with contributions to the documentation, [follow the guide](https://github.com/kyverno/website#contributing) on that repository. -### 2. Fix or Improve Documentation +### Developer Guides -The [Kyverno website](https://kyverno.io), like the main Kyverno codebase, is stored in its own [git repo](https://github.com/kyverno/website). To get started with contributions to the documentation, [follow the guide](https://github.com/kyverno/website#contributing) on that repository. +To learn about the code base and developer processes, refer to the [development guide](/DEVELOPMENT.md). -### 3. Submit Pull Requests +### Good First Issues -[Pull requests](https://docs.github.com/en/github/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests) (PRs) allow you to contribute back the changes you've made on your side enabling others in the community to benefit from your hard work. They are the main source by which all changes are made to this project and are a standard piece of GitHub operational flows. +Maintainers identify issues that are ideal for new contributors with a `good first issue` label. -New contributors may easily view all [open issues labeled as good first issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) allowing you to get started in an approachable manner. +View all Kyverno [good first issues](https://github.com/kyverno/kyverno/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22). -Once you wish to get started contributing to the code base, please refer to our [running in development mode](https://github.com/kyverno/kyverno/wiki/Running-in-development-mode) for local setup guide. +### Pull Request Guidelines In the process of submitting your PRs, please read and abide by the template provided to ensure the maintainers are able to understand your changes and quickly come up to speed. There are some important pieces that are required outside the code itself. Some of these are up to you, others are up to the maintainers. 1. Provide Proof Manifests allowing the maintainers and other contributors to verify your changes without requiring they understand the nuances of all your code. 2. For new or changed functionality, this typically requires documentation and so raise a corresponding issue (or, better yet, raise a separate PR) on the [documentation repository](https://github.com/kyverno/website). -3. Test your change with the [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) and provide a test manifest in the proper format. If your feature/fix does not work with the CLI, a separate issue requesting CLI support must be made. For changes which can be tested as an end user, we require conformance/e2e tests by using the `kuttl` tool. See [here](https://github.com/kyverno/kyverno/tree/main/test/conformance/kuttl/README.md) for a specific guide on how and when to write these tests. +3. Test your change with the [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) and provide a test manifest in the proper format. If your feature/fix does not work with the CLI, a separate issue requesting CLI support must be made. For changes which can be tested as an end user, we require conformance/e2e tests by using the `chainsaw` tool. See [here](https://github.com/kyverno/kyverno/tree/main/test/conformance/chainsaw/README.md) for a specific guide on how and when to write these tests. 4. Indicate which release this PR is triaged for (maintainers). This step is important especially for the documentation maintainers in order to understand when and where the necessary changes should be made. -#### How to Create a PR - -Head over to the project repository on GitHub and click the **"Fork"** button. With the forked copy, you can try new ideas and implement changes to the project. - -1. **Clone the repository to your device:** - -Get the link of your forked repository, paste it in your device terminal and clone it using the command. - -```sh -git clone https://hostname/YOUR-USERNAME/YOUR-REPOSITORY -``` - -2. **Create a branch:** - -Create a new brach and navigate to the branch using this command. - -```sh -git checkout -b -``` - -Great, it's time to start hacking! You can now go ahead to make all the changes you want. - -3. **Stage, Commit, and Push changes:** - -Now that we have implemented the required changes, use the command below to stage the changes and commit them. - -```sh -git add . -``` - -```sh -git commit -s -m "Commit message" -``` - -The `-s` signifies that you have signed off the commit. - -Go ahead and push your changes to GitHub using this command. - -```sh -git push -``` - -#### Cherry-pick PRs to release branches - -Once you fork the project, you will notice that there are a number of branches related to Kyverno's releases such as release-1.7. You can view the list of remote branches by using the command below: - -```sh -$ git branch -r -... -origin/release-1.5 -origin/release-1.6 -origin/release-1.7 -``` - -Checkout one of the release branch and cherry-pick the PRs you want to merge into the release branch: - -```sh -$ git checkout release-1.7 - -git cherry-pick -s - -git push --set-upstream origin release-1.7 -``` - -Once the commit has been cherry-picked, the author will need to open a PR merging to the release branch, release-1.7 for example. - -#### Developer Certificate of Origin (DCO) Sign off - -For contributors to certify that they wrote or otherwise have the right to submit the code they are contributing to the project, we are requiring everyone to acknowledge this by signing their work which indicates you agree to the DCO found [here](https://developercertificate.org/). - -To sign your work, just add a line like this at the end of your commit message: - -```sh -Signed-off-by: Random J Developer -``` - -This can easily be done with the `-s` command line option to append this automatically to your commit message. - -```sh -git commit -s -m 'This is my commit message' -``` - ## Release Processes -Review the Kyverno release process at: https://kyverno.io/docs/releases/ \ No newline at end of file +Review the Kyverno release process at: https://kyverno.io/docs/releases/ diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md new file mode 100644 index 000000000000..e21b6acd5dd9 --- /dev/null +++ b/CONTRIBUTORS.md @@ -0,0 +1,17 @@ +## Contributors + +Contributors are those who have made enough contributions to the project as defined in the [Contributing guide](https://kyverno.io/community/#contributing). In order to add yourself as a contributor, open a PR with your information added to the table. + +| Maintainer | GitHub ID | +|--------------------------|--------------------------------------------------------| +| Ved Ratan | [@VedRatan](https://github.com/VedRatan) | +| Chandan DK | [@Chandan-DK](https://github.com/Chandan-DK) | +| Swastik Gour | [@swastik959](https://github.com/swastik959) | +| Amit Kumar | [@hackeramitkumar](https://github.com/hackeramitkumar) | +| Khaled Emara | [@KhaledEmaraDev](https://github.com/KhaledEmaraDev) | +| Anushka Mittal | [@anushkamittal2001](https://github.com/anushkamittal2001)| +| Sanskar Gurdasani | [@Sanskarzz](https://github.com/Sanskarzz) | +| D N Siva Sathyaseelan | [@sivasathyaseeelan](https://github.com/sivasathyaseeelan)| +| Mohamed Asif S | [@mohamedasifs123](https://github.com/mohamedasifs123)| +| Suruchi Kumari | [@coder12git](https://github.com/coder12git)| +| Shubham Singh | [@1shubham7](https://github.com/1shubham7) | diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 9fccedb01ff2..9e7fc84072f9 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -4,6 +4,7 @@ This document covers basic needs to work with Kyverno codebase. It contains instructions to build, run, and test Kyverno. +- [Open project in devcontainer](#open-project-in-devcontainer-recommended) - [Tools](#tools) - [Building local binaries](#building-local-binaries) - [Building kyvernopre locally](#building-kyvernopre-locally) @@ -12,6 +13,7 @@ It contains instructions to build, run, and test Kyverno. - [Building local images](#building-local-images) - [Building local images with ko](#building-local-images-with-ko) - [Pushing images](#pushing-images) + - [Images tagging strategy](#images-tagging-strategy) - [Pushing images with ko](#pushing-images-with-ko) - [Deploying a local build](#deploying-a-local-build) - [Create a local cluster](#create-a-local-cluster) @@ -25,6 +27,35 @@ It contains instructions to build, run, and test Kyverno. - [Generating helm charts CRDs](#generating-helm-charts-crds) - [Generating helm charts docs](#generating-helm-charts-docs) - [Debugging local code](#debugging-local-code) +- [Profiling](#profiling) +- [API Design](#api-design) +- [Controllers Design](#controllers-design) +- [Logging](#logging) +- [Feature Flags](#feature-flags) +- [Reports Design](#reports-design) +- [Troubleshooting](#troubleshooting) +- [Selecting Issues](#selecting-issues) + + +## Open project in devcontainer (recommended) +- Clone the project to your local machine. +- Make sure that you have the Visual Studio Code editor installed on your system. + +- Make sure that you have wsl(Ubuntu preferred) and Docker installed on your system and on wsl too (docker.sock (UNIX socket) file is necessary to enable devcontainer to communicate with docker running in host machine). + +- Open the project in Visual Studio Code, once the project is opened hit F1 and type wsl, now click on "Reopen in WSL". + +- If you haven't already done so, install the **Dev Containers** extension in Visual Studio Code. + +- Once the extension is installed, you should see a green icon in the bottom left corner of the window. + +- After you have installed Dev Containers extension, it should automatically detect the .devcontainer folder inside the project opened in wsl, and should suggest you to open the project in container. + +- If it doesn't suggest you, then press Ctrl + Shift + p and search "reopen in container" and click on it. + +- If everything goes well, the project should be opened in your devcontainer. + +- Then follow the steps as mentioned below to configure the project. ## Tools @@ -63,10 +94,10 @@ The Kyverno repository contains code for three different binaries: To build `kyvernopre` binary on your local system, run: ```console -make build-kyvernopre +make build-kyverno-init ``` -The binary should be created at `./cmd/initContainer/kyvernopre`. +The binary should be created at `./cmd/kyverno-init/kyvernopre`. ### Building kyverno locally @@ -111,7 +142,7 @@ When building local images with ko you can't specify the registry used to create To build `kyvernopre` image on your local system, run: ```console -make ko-build-kyvernopre +make ko-build-kyverno-init ``` The resulting image should be available locally, named `ko.local/github.com/kyverno/kyverno/cmd/initcontainer`. @@ -142,7 +173,12 @@ Pushing images is very similar to [building local images](#building-local-images When pushing images you can specify the registry you want to publish images to by setting the `REGISTRY` environment variable (default value is `ghcr.io`). - +### Images tagging strategy + +When publishing images, we are using the following strategy: +- All published images are tagged with `latest`. Images tagged with `latest` should not be considered stable and can come from multiple release branches or main. +- In addition to `latest`, dev images are tagged with the following pattern `.-dev-N-` where `N` is a two-digit number beginning at one for the major-minor combination and incremented by one on each subsequent tagged image. +- In addition to `latest`, release images are tagged with the following pattern `..-
`. The pre release part is optional and only applies to pre releases (`-beta.1`, `-rc.2`, ...).
 
 ### Pushing images with ko
 
@@ -157,12 +193,12 @@ To allow authentication you will need to set `REGISTRY_USERNAME` and `REGISTRY_P
 To push `kyvernopre` image on a remote registry, run:
 ```console
 # push stable image
-make ko-publish-kyvernopre
+make ko-publish-kyverno-init
 ```
 or
 ```console
 # push dev image
-make ko-publish-kyvernopre-dev
+make ko-publish-kyverno-init-dev
 ```
 
 The resulting image should be available remotely, named `ghcr.io/kyverno/kyvernopre` (by default, if `REGISTRY` environment variable was not set).
@@ -215,7 +251,7 @@ To create a local KinD cluster, run:
 make kind-create-cluster
 ```
 
-You can override the k8s version by setting the `KIND_IMAGE` environment variable (default value is `kindest/node:v1.24.0`).
+You can override the k8s version by setting the `KIND_IMAGE` environment variable (default value is `kindest/node:v1.29.1`).
 
 You can also override the KinD cluster name by setting the `KIND_NAME` environment variable (default value is `kind`).
 
@@ -224,7 +260,7 @@ You can also override the KinD cluster name by setting the `KIND_NAME` environme
 To build local images and load them on a local KinD cluster, run:
 ```console
 # build kyvernopre image and load it in KinD cluster
-make kind-load-kyvernopre
+make kind-load-kyverno-init
 ```
 or
 ```console
@@ -386,13 +422,129 @@ You can run Kyverno locally or in your IDE of choice with a few steps:
 1. Deploy Kyverno manifests except the Kyverno `Deployment`
     - Kyverno is going to run on your local machine, so it should not run in cluster at the same time
     - You can deploy the manifests by running `make debug-deploy`
+1. There are multiple environment variables that need to be configured. The variables can be found in [here](./.vscode/launch.json). Their values can be set using the command `export $NAME=value`
 1. To run Kyverno locally against the remote cluster you will need to provide `--kubeconfig` and `--serverIP` arguments:
     - `--kubeconfig` must point to your kubeconfig file (usually `~/.kube/config`)
     - `--serverIP` must be set to `:9443` (`` is the private ip adress of your local machine)
+    - `--backgroundServiceAccountName` must be set to `system:serviceaccount:kyverno:kyverno-background-controller`
+    - `--caSecretName` must be set to `kyverno-svc.kyverno.svc.kyverno-tls-ca`
+    - `--tlsSecretName` must be set to `kyverno-svc.kyverno.svc.kyverno-tls-pair`
 
 Once you are ready with the steps above, Kyverno can be started locally with:
 ```console
-go run ./cmd/kyverno/ --kubeconfig ~/.kube/config --serverIP=:9443
+go run ./cmd/kyverno/ --kubeconfig ~/.kube/config --serverIP=:9443 --backgroundServiceAccountName=system:serviceaccount:kyverno:kyverno-background-controller --caSecretName=kyverno-svc.kyverno.svc.kyverno-tls-ca  --tlsSecretName=kyverno-svc.kyverno.svc.kyverno-tls-pair
 ```
 
 You will need to adapt those steps to run debug sessions in your IDE of choice, but the general idea remains the same.
+
+
+## Profiling
+
+### Enable profiling
+To profile Kyverno application running inside a Kubernetes pod, set `--profile` flag to `true` in [install.yaml](https://github.com/kyverno/kyverno/blob/main/definitions/install.yaml). The default profiling port is 6060, and it can be configured via `profile-port`.
+
+```
+  --profile
+        Set this flag to 'true', to enable profiling.
+  --profile-port string
+        Enable profiling at given port, defaults to 6060. (default "6060")
+```
+
+### Expose the endpoint on a local port
+You can get at the application in the pod by port forwarding with kubectl, for example:
+
+````shell
+$ kubectl -n kyverno get pod
+NAME                                             READY   STATUS      RESTARTS       AGE
+kyverno-admission-controller-57df6c565f-pxpnh    1/1     Running     0              20s
+kyverno-background-controller-766589695-dhj9m    1/1     Running     0              20s
+kyverno-cleanup-controller-54466dfbc6-5mlrc      1/1     Running     0              19s
+kyverno-cleanup-update-requests-28695530-ft975   1/1     Running     0              19s
+kyverno-reports-controller-76c49549f4-tljwm      1/1     Running     0              20s
+````
+
+Check the port of the pod you'd like to forward using the command below.
+
+````bash
+$ kubectl get pod kyverno-admission-controller-57df6c565f-pxpnh -n kyverno  --template='{{(index (index .spec.containers 0).ports 0).containerPort}}{{"\n"}}'
+9443
+````
+
+Use the exposed port from above to run port-forward with the below command.
+
+````bash
+$ kubectl -n kyverno port-forward kyverno-admission-controller-57df6c565f-pxpnh 6060:9443
+Forwarding from 127.0.0.1:6060 -> 9443
+Forwarding from [::1]:6060 -> 9443
+````
+
+The HTTP endpoint will now be available as a local port.
+
+Alternatively, use a Service of the type `LoadBalancer` to expose Kyverno. An example Service manifest is given below:
+
+```yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: pproc-service
+  namespace: kyverno
+spec:
+  selector:
+    app: kyverno
+  ports:
+    - protocol: TCP
+      port: 6060
+      targetPort: 6060
+  type: LoadBalancer
+```
+
+
+### Generate the data
+You can then generate the file for the **memory** profile with curl and pipe the data to a file:
+````shell
+$ curl http://localhost:6060/debug/pprof/heap  > heap.pprof
+````
+
+Generate the file for the **CPU** profile with curl and pipe the data to a file:
+```shell
+curl "http://localhost:6060/debug/pprof/profile?seconds=60" > cpu.pprof
+```
+
+### Analyze the data
+To analyze the data:
+````shell
+go tool pprof heap.pprof
+````
+
+### Read more about profiling
+
+- [Profiling Golang Programs on Kubernetes](https://danlimerick.wordpress.com/2017/01/24/profiling-golang-programs-on-kubernetes/)
+- [Official GO blog](https://blog.golang.org/pprof)
+
+## API Design
+
+See [docs/dev/api](./docs/dev/api/README.md)
+
+## Controllers Design
+
+See [docs/dev/controllers](./docs/dev/controllers/README.md)
+
+## Logging
+
+See [docs/dev/logging/logging.md](./docs/dev/logging/logging.md)
+
+## Feature Flags
+
+See [docs/dev/feature-flags](./docs/dev/feature-flags/README.md)
+
+## Reports Design
+
+See [docs/dev/reports](./docs/dev/reports/README.md)
+
+## Troubleshooting
+
+See [docs/dev/troubleshooting](./docs/dev/troubleshooting/)
+
+## Selecting Issues
+
+When you are ready to contribute, you can select issue at [Good First Issues](https://github.com/orgs/kyverno/projects/10). 
diff --git a/GOVERNANCE.md b/GOVERNANCE.md
new file mode 100644
index 000000000000..66ae53316445
--- /dev/null
+++ b/GOVERNANCE.md
@@ -0,0 +1,3 @@
+# Kyverno Governance
+
+[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the governance published and maintained at https://github.com/kyverno/community/blob/main/GOVERNANCE.md.
diff --git a/MAINTAINERS.md b/MAINTAINERS.md
index 2e76741df39f..c387932c23c3 100644
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -6,13 +6,19 @@ Maintainers are approvers who have shown good technical judgement in guiding fea
 |--------------------------|--------------------------------------------------------|---------------------------|
 | Jim Bugwadia             | [@JimBugwadia](https://github.com/JimBugwadia)         | Nirmata                   |
 | Shuting Zhao             | [@realshuting](https://github.com/realshuting)         | Nirmata                   |
-| Chip Zoller              | [@chipzoller](https://github.com/chipzoller)           | Nirmata                   |
+| Chip Zoller              | [@chipzoller](https://github.com/chipzoller)           | Stackwatch (Kubecost)     |
 | Marcel Müller            | [@MarcelMue](https://github.com/MarcelMue)             | Giant Swarm GmbH          |
-| Trey Dockendorf          | [@treydock](https://github.com/treydock)               | Ohio Supercomputer Center |
-| Vyankatesh Kudtarkar     | [@vyankyGH](https://github.com/vyankyGH)               | Nirmata                   |
-| Prateek Pandey           | [@prateekpandey14](https://github.com/prateekpandey14) | Nirmata                   |
-| Sambhav Kothari          | [@samj1912](https://github.com/samj1912)               | Bloomberg                 |
 | Charles-Edouard Brétéché | [@eddycharly](https://github.com/eddycharly)           | Nirmata                   |
+| Vishal Choudhary         | [@vishal-chdhry](https://github.com/vishal-chdhry)     | Nirmata                   |
+| Mariam Fahmy             | [@MariamFahmy98](https://github.com/MariamFahmy98)     | Nirmata                   |
 
+**Note**: Please refer to the [Project Governance](https://kyverno.io/community/#project-governance) for more information on the responsibilities and privileges of a maintainer in Kyverno.
 
-**Note**: Please refer to the [Project Governance](https://main.kyverno.io/community/#project-governance) for more information on the responsibilities and privileges of a maintainer in Kyverno.
+## Maintainers Emeritus
+
+| Maintainer               | GitHub ID                                              | Affiliation               |
+|--------------------------|--------------------------------------------------------|---------------------------|
+| Vyankatesh Kudtarkar     | [@vyankyGH](https://github.com/vyankyGH)               |                           |
+| Prateek Pandey           | [@prateekpandey14](https://github.com/prateekpandey14) |                           |
+| Sambhav Kothari          | [@samj1912](https://github.com/samj1912)               | Bloomberg                 |
+| Trey Dockendorf          | [@treydock](https://github.com/treydock)               | Ohio Supercomputer Center |
diff --git a/Makefile b/Makefile
index 3c45f96bb74a..b607859d4981 100644
--- a/Makefile
+++ b/Makefile
@@ -4,20 +4,12 @@
 # DEFAULTS #
 ############
 
-GIT_VERSION          := $(shell git describe --match "v[0-9]*" --tags $(git rev-list --tags --max-count=1))
-GIT_VERSION_DEV      := $(shell git describe --match "[0-9].[0-9]-dev*")
-GIT_BRANCH           := $(shell git branch | grep \* | cut -d ' ' -f2)
-GIT_HASH             := $(GIT_BRANCH)/$(shell git log -1 --pretty=format:"%H")
-TIMESTAMP            := $(shell date '+%Y-%m-%d_%I:%M:%S%p')
-VERSION              ?= $(shell git describe --match "v[0-9]*")
+GIT_SHA              := $(shell git rev-parse HEAD)
 REGISTRY             ?= ghcr.io
 REPO                 ?= kyverno
-IMAGE_TAG_LATEST_DEV  = $(shell git describe --match "[0-9].[0-9]-dev*" | cut -d '-' -f-2)
-IMAGE_TAG_DEV         = $(GIT_VERSION_DEV)
-IMAGE_TAG            ?= $(GIT_VERSION)
-K8S_VERSION          ?= $(shell kubectl version --short | grep -i server | cut -d" " -f3 | cut -c2-)
-KIND_IMAGE           ?= kindest/node:v1.25.3
+KIND_IMAGE           ?= kindest/node:v1.30.0
 KIND_NAME            ?= kind
+KIND_CONFIG          ?= default
 GOOS                 ?= $(shell go env GOOS)
 GOARCH               ?= $(shell go env GOARCH)
 KOCACHE              ?= /tmp/ko-cache
@@ -26,55 +18,60 @@ KYVERNOPRE_IMAGE     := kyvernopre
 KYVERNO_IMAGE        := kyverno
 CLI_IMAGE            := kyverno-cli
 CLEANUP_IMAGE        := cleanup-controller
+REPORTS_IMAGE        := reports-controller
+BACKGROUND_IMAGE     := background-controller
 REPO_KYVERNOPRE      := $(REGISTRY)/$(REPO)/$(KYVERNOPRE_IMAGE)
 REPO_KYVERNO         := $(REGISTRY)/$(REPO)/$(KYVERNO_IMAGE)
 REPO_CLI             := $(REGISTRY)/$(REPO)/$(CLI_IMAGE)
 REPO_CLEANUP         := $(REGISTRY)/$(REPO)/$(CLEANUP_IMAGE)
+REPO_REPORTS         := $(REGISTRY)/$(REPO)/$(REPORTS_IMAGE)
+REPO_BACKGROUND      := $(REGISTRY)/$(REPO)/$(BACKGROUND_IMAGE)
 USE_CONFIG           ?= standard
 
 #########
 # TOOLS #
 #########
 
-TOOLS_DIR                          := $(PWD)/.tools
-KIND                               := $(TOOLS_DIR)/kind
-KIND_VERSION                       := v0.17.0
-CONTROLLER_GEN                     := $(TOOLS_DIR)/controller-gen
-CONTROLLER_GEN_VERSION             := v0.11.1
-CLIENT_GEN                         := $(TOOLS_DIR)/client-gen
-LISTER_GEN                         := $(TOOLS_DIR)/lister-gen
-INFORMER_GEN                       := $(TOOLS_DIR)/informer-gen
-OPENAPI_GEN                        := $(TOOLS_DIR)/openapi-gen
-CODE_GEN_VERSION                   := v0.26.0
-GEN_CRD_API_REFERENCE_DOCS         := $(TOOLS_DIR)/gen-crd-api-reference-docs
-GEN_CRD_API_REFERENCE_DOCS_VERSION := latest
-GO_ACC                             := $(TOOLS_DIR)/go-acc
-GO_ACC_VERSION                     := latest
-GOIMPORTS                          := $(TOOLS_DIR)/goimports
-GOIMPORTS_VERSION                  := latest
-HELM                               := $(TOOLS_DIR)/helm
-HELM_VERSION                       := v3.10.1
-HELM_DOCS                          := $(TOOLS_DIR)/helm-docs
-HELM_DOCS_VERSION                  := v1.11.0
-KO                                 := $(TOOLS_DIR)/ko
-KO_VERSION                         := main #e93dbee8540f28c45ec9a2b8aec5ef8e43123966
-KUTTL                              := $(TOOLS_DIR)/kubectl-kuttl
-KUTTL_VERSION                      := v0.0.0-20230108220859-ef8d83c89156
-TOOLS                              := $(KIND) $(CONTROLLER_GEN) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO) $(KUTTL)
+TOOLS_DIR                          ?= $(PWD)/.tools
+KIND                               ?= $(TOOLS_DIR)/kind
+KIND_VERSION                       ?= v0.23.0
+CONTROLLER_GEN_VERSION             ?= v0.15.0
+CLIENT_GEN                         ?= $(TOOLS_DIR)/client-gen
+LISTER_GEN                         ?= $(TOOLS_DIR)/lister-gen
+INFORMER_GEN                       ?= $(TOOLS_DIR)/informer-gen
+OPENAPI_GEN                        ?= $(TOOLS_DIR)/openapi-gen
+REGISTER_GEN                       ?= $(TOOLS_DIR)/register-gen
+DEEPCOPY_GEN                       ?= $(TOOLS_DIR)/deepcopy-gen
+DEFAULTER_GEN                      ?= $(TOOLS_DIR)/defaulter-gen
+APPLYCONFIGURATION_GEN             ?= $(TOOLS_DIR)/applyconfiguration-gen
+CODE_GEN_VERSION                   ?= v0.28.0
+GEN_CRD_API_REFERENCE_DOCS         ?= $(TOOLS_DIR)/gen-crd-api-reference-docs
+GEN_CRD_API_REFERENCE_DOCS_VERSION ?= latest
+GENREF                             ?= $(TOOLS_DIR)/genref
+GENREF_VERSION                     ?= master
+GO_ACC                             ?= $(TOOLS_DIR)/go-acc
+GO_ACC_VERSION                     ?= latest
+GOIMPORTS                          ?= $(TOOLS_DIR)/goimports
+GOIMPORTS_VERSION                  ?= latest
+HELM                               ?= $(TOOLS_DIR)/helm
+HELM_VERSION                       ?= v3.12.3
+HELM_DOCS                          ?= $(TOOLS_DIR)/helm-docs
+HELM_DOCS_VERSION                  ?= v1.11.0
+KO                                 ?= $(TOOLS_DIR)/ko
+KO_VERSION                         ?= v0.14.1
+KUBE_VERSION                       ?= v1.25.0
+TOOLS                              := $(KIND) $(CLIENT_GEN) $(LISTER_GEN) $(INFORMER_GEN) $(OPENAPI_GEN) $(REGISTER_GEN) $(DEEPCOPY_GEN) $(DEFAULTER_GEN) $(APPLYCONFIGURATION_GEN) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) $(GO_ACC) $(GOIMPORTS) $(HELM) $(HELM_DOCS) $(KO)
 ifeq ($(GOOS), darwin)
 SED                                := gsed
 else
 SED                                := sed
 endif
+COMMA                              := ,
 
 $(KIND):
 	@echo Install kind... >&2
 	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/kind@$(KIND_VERSION)
 
-$(CONTROLLER_GEN):
-	@echo Install controller-gen... >&2
-	@GOBIN=$(TOOLS_DIR) go install sigs.k8s.io/controller-tools/cmd/controller-gen@$(CONTROLLER_GEN_VERSION)
-
 $(CLIENT_GEN):
 	@echo Install client-gen... >&2
 	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/client-gen@$(CODE_GEN_VERSION)
@@ -91,10 +88,30 @@ $(OPENAPI_GEN):
 	@echo Install openapi-gen... >&2
 	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/openapi-gen@$(CODE_GEN_VERSION)
 
+$(REGISTER_GEN):
+	@echo Install register-gen... >&2
+	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/register-gen@$(CODE_GEN_VERSION)
+
+$(DEEPCOPY_GEN):
+	@echo Install deepcopy-gen... >&2
+	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/deepcopy-gen@$(CODE_GEN_VERSION)
+
+$(DEFAULTER_GEN):
+	@echo Install defaulter-gen... >&2
+	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/defaulter-gen@$(CODE_GEN_VERSION)
+
+$(APPLYCONFIGURATION_GEN):
+	@echo Install applyconfiguration-gen... >&2
+	@GOBIN=$(TOOLS_DIR) go install k8s.io/code-generator/cmd/applyconfiguration-gen@$(CODE_GEN_VERSION)
+
 $(GEN_CRD_API_REFERENCE_DOCS):
 	@echo Install gen-crd-api-reference-docs... >&2
 	@GOBIN=$(TOOLS_DIR) go install github.com/ahmetb/gen-crd-api-reference-docs@$(GEN_CRD_API_REFERENCE_DOCS_VERSION)
 
+$(GENREF):
+	@echo Install genref... >&2
+	@GOBIN=$(TOOLS_DIR) go install github.com/kubernetes-sigs/reference-docs/genref@$(GENREF_VERSION)
+
 $(GO_ACC):
 	@echo Install go-acc... >&2
 	@GOBIN=$(TOOLS_DIR) go install github.com/ory/go-acc@$(GO_ACC_VERSION)
@@ -115,10 +132,6 @@ $(KO):
 	@echo Install ko... >&2
 	@GOBIN=$(TOOLS_DIR) go install github.com/google/ko@$(KO_VERSION)
 
-$(KUTTL):
-	@echo Install kuttl... >&2
-	@GOBIN=$(TOOLS_DIR) go install github.com/kyverno/kuttl/cmd/kubectl-kuttl@$(KUTTL_VERSION)
-
 .PHONY: install-tools
 install-tools: $(TOOLS) ## Install tools
 
@@ -131,19 +144,26 @@ clean-tools: ## Remove installed tools
 # BUILD (LOCAL) #
 #################
 
-CMD_DIR        := ./cmd
+CMD_DIR        := cmd
 KYVERNO_DIR    := $(CMD_DIR)/kyverno
-KYVERNOPRE_DIR := $(CMD_DIR)/initContainer
+KYVERNOPRE_DIR := $(CMD_DIR)/kyverno-init
 CLI_DIR        := $(CMD_DIR)/cli/kubectl-kyverno
 CLEANUP_DIR    := $(CMD_DIR)/cleanup-controller
+REPORTS_DIR    := $(CMD_DIR)/reports-controller
+BACKGROUND_DIR := $(CMD_DIR)/background-controller
 KYVERNO_BIN    := $(KYVERNO_DIR)/kyverno
 KYVERNOPRE_BIN := $(KYVERNOPRE_DIR)/kyvernopre
 CLI_BIN        := $(CLI_DIR)/kubectl-kyverno
 CLEANUP_BIN    := $(CLEANUP_DIR)/cleanup-controller
+REPORTS_BIN    := $(REPORTS_DIR)/reports-controller
+BACKGROUND_BIN := $(BACKGROUND_DIR)/background-controller
 PACKAGE        ?= github.com/kyverno/kyverno
 CGO_ENABLED    ?= 0
-LD_FLAGS        = "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
-LD_FLAGS_DEV    = "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(GIT_VERSION_DEV) -X $(PACKAGE)/pkg/version.BuildHash=$(GIT_HASH) -X $(PACKAGE)/pkg/version.BuildTime=$(TIMESTAMP)"
+ifdef VERSION
+LD_FLAGS       := "-s -w -X $(PACKAGE)/pkg/version.BuildVersion=$(VERSION)"
+else
+LD_FLAGS       := "-s -w"
+endif
 
 .PHONY: fmt
 fmt: ## Run go fmt
@@ -185,22 +205,36 @@ unused-package-check:
 
 $(KYVERNOPRE_BIN): fmt vet
 	@echo Build kyvernopre binary... >&2
-	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(KYVERNOPRE_BIN) -ldflags=$(LD_FLAGS) $(KYVERNOPRE_DIR)
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) \
+		go build -o ./$(KYVERNOPRE_BIN) -ldflags=$(LD_FLAGS) ./$(KYVERNOPRE_DIR)
 
 $(KYVERNO_BIN): fmt vet
 	@echo Build kyverno binary... >&2
-	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(KYVERNO_BIN) -ldflags=$(LD_FLAGS) $(KYVERNO_DIR)
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) \
+		go build -o ./$(KYVERNO_BIN) -ldflags=$(LD_FLAGS) ./$(KYVERNO_DIR)
 
 $(CLI_BIN): fmt vet
 	@echo Build cli binary... >&2
-	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(CLI_BIN) -ldflags=$(LD_FLAGS) $(CLI_DIR)
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) \
+		go build -o ./$(CLI_BIN) -ldflags=$(LD_FLAGS) ./$(CLI_DIR)
 
 $(CLEANUP_BIN): fmt vet
 	@echo Build cleanup controller binary... >&2
-	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) go build -o $(CLEANUP_BIN) -ldflags=$(LD_FLAGS) $(CLEANUP_DIR)
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) \
+		go build -o ./$(CLEANUP_BIN) -ldflags=$(LD_FLAGS) ./$(CLEANUP_DIR)
+
+$(REPORTS_BIN): fmt vet
+	@echo Build reports controller binary... >&2
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) \
+		go build -o ./$(REPORTS_BIN) -ldflags=$(LD_FLAGS) ./$(REPORTS_DIR)
+
+$(BACKGROUND_BIN): fmt vet
+	@echo Build background controller binary... >&2
+	@CGO_ENABLED=$(CGO_ENABLED) GOOS=$(GOOS) \
+		go build -o ./$(BACKGROUND_BIN) -ldflags=$(LD_FLAGS) ./$(BACKGROUND_DIR)
 
-.PHONY: build-kyvernopre
-build-kyvernopre: $(KYVERNOPRE_BIN) ## Build kyvernopre binary
+.PHONY: build-kyverno-init
+build-kyverno-init: $(KYVERNOPRE_BIN) ## Build kyvernopre binary
 
 .PHONY: build-kyverno
 build-kyverno: $(KYVERNO_BIN) ## Build kyverno binary
@@ -211,101 +245,132 @@ build-cli: $(CLI_BIN) ## Build cli binary
 .PHONY: build-cleanup-controller
 build-cleanup-controller: $(CLEANUP_BIN) ## Build cleanup controller binary
 
-build-all: build-kyvernopre build-kyverno build-cli build-cleanup-controller ## Build all binaries
+.PHONY: build-reports-controller
+build-reports-controller: $(REPORTS_BIN) ## Build reports controller binary
+
+.PHONY: build-background-controller
+build-background-controller: $(BACKGROUND_BIN) ## Build background controller binary
+
+build-all: build-kyverno-init build-kyverno build-cli build-cleanup-controller build-reports-controller build-background-controller ## Build all binaries
 
 ##############
 # BUILD (KO) #
 ##############
 
-PLATFORMS           := linux/amd64,linux/arm64,linux/s390x
 LOCAL_PLATFORM      := linux/$(GOARCH)
-KO_TAGS             := latest,$(IMAGE_TAG)
-KO_TAGS_DEV         := latest,$(IMAGE_TAG_DEV)
+KO_REGISTRY         := ko.local
+ifndef VERSION
+KO_TAGS             := $(GIT_SHA)
+else ifeq ($(VERSION),main)
+KO_TAGS             := $(GIT_SHA),latest
+else
+KO_TAGS             := $(GIT_SHA),$(subst /,-,$(VERSION))
+endif
+
+KO_CLI_REPO         := $(PACKAGE)/$(CLI_DIR)
+KO_KYVERNOPRE_REPO  := $(PACKAGE)/$(KYVERNOPRE_DIR)
+KO_KYVERNO_REPO     := $(PACKAGE)/$(KYVERNO_DIR)
+KO_CLEANUP_REPO     := $(PACKAGE)/$(CLEANUP_DIR)
+KO_REPORTS_REPO     := $(PACKAGE)/$(REPORTS_DIR)
+KO_BACKGROUND_REPO  := $(PACKAGE)/$(BACKGROUND_DIR)
 
-.PHONY: ko-build-kyvernopre
-ko-build-kyvernopre: $(KO) ## Build kyvernopre local image (with ko)
+.PHONY: ko-build-kyverno-init
+ko-build-kyverno-init: $(KO) ## Build kyvernopre local image (with ko)
 	@echo Build kyvernopre local image with ko... >&2
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=ko.local $(KO) build $(KYVERNOPRE_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(LOCAL_PLATFORM)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./$(KYVERNOPRE_DIR) --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
 
 .PHONY: ko-build-kyverno
 ko-build-kyverno: $(KO) ## Build kyverno local image (with ko)
 	@echo Build kyverno local image with ko... >&2
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=ko.local $(KO) build $(KYVERNO_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(LOCAL_PLATFORM)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./$(KYVERNO_DIR) --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
 
 .PHONY: ko-build-cli
 ko-build-cli: $(KO) ## Build cli local image (with ko)
 	@echo Build cli local image with ko... >&2
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=ko.local $(KO) build $(CLI_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(LOCAL_PLATFORM)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./$(CLI_DIR) --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
 
 .PHONY: ko-build-cleanup-controller
 ko-build-cleanup-controller: $(KO) ## Build cleanup controller local image (with ko)
 	@echo Build cleanup controller local image with ko... >&2
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=ko.local $(KO) build $(CLEANUP_DIR) --preserve-import-paths --tags=$(KO_TAGS_DEV) --platform=$(LOCAL_PLATFORM)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./$(CLEANUP_DIR) --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
+
+.PHONY: ko-build-reports-controller
+ko-build-reports-controller: $(KO) ## Build reports controller local image (with ko)
+	@echo Build reports controller local image with ko... >&2
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./$(REPORTS_DIR) --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
+
+.PHONY: ko-build-background-controller
+ko-build-background-controller: $(KO) ## Build background controller local image (with ko)
+	@echo Build background controller local image with ko... >&2
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(KO_REGISTRY) \
+		$(KO) build ./$(BACKGROUND_DIR) --preserve-import-paths --tags=$(KO_TAGS) --platform=$(LOCAL_PLATFORM)
 
 .PHONY: ko-build-all
-ko-build-all: ko-build-kyvernopre ko-build-kyverno ko-build-cli ko-build-cleanup-controller ## Build all local images (with ko)
+ko-build-all: ko-build-kyverno-init ko-build-kyverno ko-build-cli ko-build-cleanup-controller ko-build-reports-controller ko-build-background-controller ## Build all local images (with ko)
 
 ################
 # PUBLISH (KO) #
 ################
 
 REGISTRY_USERNAME   ?= dummy
-KO_KYVERNOPRE_IMAGE := ko.local/github.com/kyverno/kyverno/cmd/initcontainer
-KO_KYVERNO_IMAGE    := ko.local/github.com/kyverno/kyverno/cmd/kyverno
-KO_CLEANUP_IMAGE    := ko.local/github.com/kyverno/kyverno/cmd/cleanup-controller
+PLATFORMS           := all
 
 .PHONY: ko-login
 ko-login: $(KO)
 	@$(KO) login $(REGISTRY) --username $(REGISTRY_USERNAME) --password $(REGISTRY_PASSWORD)
 
-.PHONY: ko-publish-kyvernopre
-ko-publish-kyvernopre: ko-login ## Build and publish kyvernopre image (with ko)
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) $(KO) build $(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
+.PHONY: ko-publish-kyverno-init
+ko-publish-kyverno-init: ko-login ## Build and publish kyvernopre image (with ko)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) \
+		$(KO) build ./$(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
 
 .PHONY: ko-publish-kyverno
 ko-publish-kyverno: ko-login ## Build and publish kyverno image (with ko)
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNO) $(KO) build $(KYVERNO_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNO) \
+		$(KO) build ./$(KYVERNO_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
 
 .PHONY: ko-publish-cli
 ko-publish-cli: ko-login ## Build and publish cli image (with ko)
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLI) $(KO) build $(CLI_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLI) \
+		$(KO) build ./$(CLI_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
 
 .PHONY: ko-publish-cleanup-controller
 ko-publish-cleanup-controller: ko-login ## Build and publish cleanup controller image (with ko)
-	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLEANUP) $(KO) build $(CLEANUP_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
-
-.PHONY: ko-publish-kyvernopre-dev
-ko-publish-kyvernopre-dev: ko-login ## Build and publish kyvernopre dev image (with ko)
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNOPRE) $(KO) build $(KYVERNOPRE_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLEANUP) \
+		$(KO) build ./$(CLEANUP_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
 
-.PHONY: ko-publish-kyverno-dev
-ko-publish-kyverno-dev: ko-login ## Build and publish kyverno dev image (with ko)
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_KYVERNO) $(KO) build $(KYVERNO_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS)
+.PHONY: ko-publish-reports-controller
+ko-publish-reports-controller: ko-login ## Build and publish reports controller image (with ko)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_REPORTS) \
+		$(KO) build ./$(REPORTS_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
 
-.PHONY: ko-publish-cli-dev
-ko-publish-cli-dev: ko-login ## Build and publish cli dev image (with ko)
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLI) $(KO) build $(CLI_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS)
-
-.PHONY: ko-publish-cleanup-controller-dev
-ko-publish-cleanup-controller-dev: ko-login ## Build and publish cleanup controller dev image (with ko)
-	@LD_FLAGS=$(LD_FLAGS_DEV) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_CLEANUP) $(KO) build $(CLEANUP_DIR) --bare --tags=$(KO_TAGS_DEV) --platform=$(PLATFORMS)
+.PHONY: ko-publish-background-controller
+ko-publish-background-controller: ko-login ## Build and publish background controller image (with ko)
+	@LD_FLAGS=$(LD_FLAGS) KOCACHE=$(KOCACHE) KO_DOCKER_REPO=$(REPO_BACKGROUND) \
+		$(KO) build ./$(BACKGROUND_DIR) --bare --tags=$(KO_TAGS) --platform=$(PLATFORMS)
 
 .PHONY: ko-publish-all
-ko-publish-all: ko-publish-kyvernopre ko-publish-kyverno ko-publish-cli ko-publish-cleanup-controller ## Build and publish all images (with ko)
-
-.PHONY: ko-publish-all-dev
-ko-publish-all-dev: ko-publish-kyvernopre-dev ko-publish-kyverno-dev ko-publish-cli-dev ko-publish-cleanup-controller-dev ## Build and publish all dev images (with ko)
+ko-publish-all: ko-publish-kyverno-init ko-publish-kyverno ko-publish-cli ko-publish-cleanup-controller ko-publish-reports-controller ko-publish-background-controller ## Build and publish all images (with ko)
 
 #################
 # BUILD (IMAGE) #
 #################
 
-LOCAL_KYVERNOPRE_IMAGE := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_KYVERNOPRE_IMAGE)
-LOCAL_KYVERNO_IMAGE    := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_KYVERNO_IMAGE)
-LOCAL_CLEANUP_IMAGE    := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_CLEANUP_IMAGE)
+LOCAL_REGISTRY         := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_REGISTRY)
+LOCAL_CLI_REPO         := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_CLI_REPO)
+LOCAL_KYVERNOPRE_REPO  := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_KYVERNOPRE_REPO)
+LOCAL_KYVERNO_REPO     := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_KYVERNO_REPO)
+LOCAL_CLEANUP_REPO     := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_CLEANUP_REPO)
+LOCAL_REPORTS_REPO     := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_REPORTS_REPO)
+LOCAL_BACKGROUND_REPO  := $($(shell echo $(BUILD_WITH) | tr '[:lower:]' '[:upper:]')_BACKGROUND_REPO)
 
-.PHONY: image-build-kyvernopre
-image-build-kyvernopre: $(BUILD_WITH)-build-kyvernopre
+.PHONY: image-build-kyverno-init
+image-build-kyverno-init: $(BUILD_WITH)-build-kyverno-init
 
 .PHONY: image-build-kyverno
 image-build-kyverno: $(BUILD_WITH)-build-kyverno
@@ -316,6 +381,12 @@ image-build-cli: $(BUILD_WITH)-build-cli
 .PHONY: image-build-cleanup-controller
 image-build-cleanup-controller: $(BUILD_WITH)-build-cleanup-controller
 
+.PHONY: image-build-reports-controller
+image-build-reports-controller: $(BUILD_WITH)-build-reports-controller
+
+.PHONY: image-build-background-controller
+image-build-background-controller: $(BUILD_WITH)-build-background-controller
+
 .PHONY: image-build-all
 image-build-all: $(BUILD_WITH)-build-all
 
@@ -323,14 +394,21 @@ image-build-all: $(BUILD_WITH)-build-all
 # CODEGEN #
 ###########
 
-GOPATH_SHIM        := ${PWD}/.gopath
-PACKAGE_SHIM       := $(GOPATH_SHIM)/src/$(PACKAGE)
-OUT_PACKAGE        := $(PACKAGE)/pkg/client
-INPUT_DIRS         := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1alpha2,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/policyreport/v1alpha2
-CLIENTSET_PACKAGE  := $(OUT_PACKAGE)/clientset
-LISTERS_PACKAGE    := $(OUT_PACKAGE)/listers
-INFORMERS_PACKAGE  := $(OUT_PACKAGE)/informers
-CRDS_PATH          := ${PWD}/config/crds
+GOPATH_SHIM                 := ${PWD}/.gopath
+PACKAGE_SHIM                := $(GOPATH_SHIM)/src/$(PACKAGE)
+OUT_PACKAGE                 := $(PACKAGE)/pkg/client
+INPUT_DIRS                  := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v1beta1,$(PACKAGE)/api/kyverno/v2,$(PACKAGE)/api/kyverno/v2beta1,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/reports/v1,$(PACKAGE)/api/policyreport/v1alpha2
+CLIENT_INPUT_DIRS           := $(PACKAGE)/api/kyverno/v1,$(PACKAGE)/api/kyverno/v2,$(PACKAGE)/api/kyverno/v2alpha1,$(PACKAGE)/api/reports/v1,$(PACKAGE)/api/policyreport/v1alpha2
+CLIENTSET_PACKAGE           := $(OUT_PACKAGE)/clientset
+LISTERS_PACKAGE             := $(OUT_PACKAGE)/listers
+INFORMERS_PACKAGE           := $(OUT_PACKAGE)/informers
+APPLYCONFIGURATIONS_PACKAGE := $(OUT_PACKAGE)/applyconfigurations
+CRDS_PATH                   := ${PWD}/config/crds
+INSTALL_MANIFEST_PATH       := ${PWD}/config/install-latest-testing.yaml
+KYVERNO_CHART_VERSION       ?= v0.0.0
+POLICIES_CHART_VERSION      ?= v0.0.0
+APP_CHART_VERSION           ?= latest
+KUBE_CHART_VERSION          ?= ">=1.25.0-0"
 
 $(GOPATH_SHIM):
 	@echo Create gopath shim... >&2
@@ -344,17 +422,33 @@ $(PACKAGE_SHIM): $(GOPATH_SHIM)
 .PHONY: codegen-client-clientset
 codegen-client-clientset: $(PACKAGE_SHIM) $(CLIENT_GEN) ## Generate clientset
 	@echo Generate clientset... >&2
-	@GOPATH=$(GOPATH_SHIM) $(CLIENT_GEN) --go-header-file ./scripts/boilerplate.go.txt --clientset-name versioned --output-package $(CLIENTSET_PACKAGE) --input-base "" --input $(INPUT_DIRS)
+	@rm -rf $(CLIENTSET_PACKAGE) && mkdir -p $(CLIENTSET_PACKAGE)
+	@GOPATH=$(GOPATH_SHIM) $(CLIENT_GEN) \
+		--go-header-file ./scripts/boilerplate.go.txt \
+		--clientset-name versioned \
+		--output-package $(CLIENTSET_PACKAGE) \
+		--input-base "" \
+		--input $(CLIENT_INPUT_DIRS)
 
 .PHONY: codegen-client-listers
 codegen-client-listers: $(PACKAGE_SHIM) $(LISTER_GEN) ## Generate listers
 	@echo Generate listers... >&2
-	@GOPATH=$(GOPATH_SHIM) $(LISTER_GEN) --go-header-file ./scripts/boilerplate.go.txt --output-package $(LISTERS_PACKAGE) --input-dirs $(INPUT_DIRS)
+	@rm -rf $(LISTERS_PACKAGE) && mkdir -p $(LISTERS_PACKAGE)
+	@GOPATH=$(GOPATH_SHIM) $(LISTER_GEN) \
+		--go-header-file ./scripts/boilerplate.go.txt \
+		--output-package $(LISTERS_PACKAGE) \
+		--input-dirs $(CLIENT_INPUT_DIRS)
 
 .PHONY: codegen-client-informers
 codegen-client-informers: $(PACKAGE_SHIM) $(INFORMER_GEN) ## Generate informers
 	@echo Generate informers... >&2
-	@GOPATH=$(GOPATH_SHIM) $(INFORMER_GEN) --go-header-file ./scripts/boilerplate.go.txt --output-package $(INFORMERS_PACKAGE) --input-dirs $(INPUT_DIRS) --versioned-clientset-package $(CLIENTSET_PACKAGE)/versioned --listers-package $(LISTERS_PACKAGE)
+	@rm -rf $(INFORMERS_PACKAGE) && mkdir -p $(INFORMERS_PACKAGE)
+	@GOPATH=$(GOPATH_SHIM) $(INFORMER_GEN) \
+		--go-header-file ./scripts/boilerplate.go.txt \
+		--output-package $(INFORMERS_PACKAGE) \
+		--input-dirs $(CLIENT_INPUT_DIRS) \
+		--versioned-clientset-package $(CLIENTSET_PACKAGE)/versioned \
+		--listers-package $(LISTERS_PACKAGE)
 
 .PHONY: codegen-client-wrappers
 codegen-client-wrappers: codegen-client-clientset $(GOIMPORTS) ## Generate client wrappers
@@ -363,113 +457,235 @@ codegen-client-wrappers: codegen-client-clientset $(GOIMPORTS) ## Generate clien
 	@$(GOIMPORTS) -w ./pkg/clients
 	@go fmt ./pkg/clients/...
 
+.PHONY: codegen-register
+codegen-register: $(PACKAGE_SHIM) $(REGISTER_GEN) ## Generate types registrations
+	@echo Generate registration... >&2
+	@GOPATH=$(GOPATH_SHIM) $(REGISTER_GEN) \
+		--go-header-file=./scripts/boilerplate.go.txt \
+		--input-dirs=$(INPUT_DIRS)
+
+.PHONY: codegen-deepcopy
+codegen-deepcopy: $(PACKAGE_SHIM) $(DEEPCOPY_GEN) ## Generate deep copy functions
+	@echo Generate deep copy functions... >&2
+	@GOPATH=$(GOPATH_SHIM) $(DEEPCOPY_GEN) \
+		--go-header-file=./scripts/boilerplate.go.txt \
+		--input-dirs=$(INPUT_DIRS) \
+		--output-file-base=zz_generated.deepcopy
+
+.PHONY: codegen-defaulters
+codegen-defaulters: $(PACKAGE_SHIM) $(DEFAULTER_GEN) ## Generate defaulters
+	@echo Generate defaulters... >&2
+	@GOPATH=$(GOPATH_SHIM) $(DEFAULTER_GEN) --go-header-file=./scripts/boilerplate.go.txt --input-dirs=$(INPUT_DIRS)
+
+.PHONY: codegen-applyconfigurations
+codegen-applyconfigurations: $(PACKAGE_SHIM) $(APPLYCONFIGURATION_GEN) ## Generate apply configurations
+	@echo Generate applyconfigurations... >&2
+	@rm -rf $(APPLYCONFIGURATIONS_PACKAGE) && mkdir -p $(APPLYCONFIGURATIONS_PACKAGE)
+	@GOPATH=$(GOPATH_SHIM) $(APPLYCONFIGURATION_GEN) \
+		--go-header-file=./scripts/boilerplate.go.txt \
+		--input-dirs=$(INPUT_DIRS) \
+		--output-package $(APPLYCONFIGURATIONS_PACKAGE)
+
 .PHONY: codegen-client-all
-codegen-client-all: codegen-client-clientset codegen-client-listers codegen-client-informers codegen-client-wrappers ## Generate clientset, listers and informers
+codegen-client-all: ## Generate clientset, listers and informers
+codegen-client-all: codegen-register
+codegen-client-all: codegen-deepcopy
+codegen-client-all: codegen-defaulters
+codegen-client-all: codegen-applyconfigurations
+codegen-client-all: codegen-client-clientset
+codegen-client-all: codegen-client-listers
+codegen-client-all: codegen-client-informers
+codegen-client-all: codegen-client-wrappers
 
 .PHONY: codegen-crds-kyverno
-codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs
+codegen-crds-kyverno: ## Generate kyverno CRDs
 	@echo Generate kyverno crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
+	@rm -rf $(CRDS_PATH)/kyverno && mkdir -p $(CRDS_PATH)/kyverno
+	@go run ./hack/controller-gen -- paths=./api/kyverno/v1/... paths=./api/kyverno/v2/... paths=./api/kyverno/v2alpha1/... paths=./api/kyverno/v2beta1/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/kyverno
 
-.PHONY: codegen-crds-report
-codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs
+.PHONY: codegen-crds-policyreport
+codegen-crds-policyreport: ## Generate policy reports CRDs
 	@echo Generate policy reports crds... >&2
-	@$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH)
+	@rm -rf $(CRDS_PATH)/policyreport && mkdir -p $(CRDS_PATH)/policyreport
+	@go run ./hack/controller-gen -- paths=./api/policyreport/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/policyreport
 
-.PHONY: codegen-crds-all
-codegen-crds-all: codegen-crds-kyverno codegen-crds-report ## Generate all CRDs
+.PHONY: codegen-crds-reports
+codegen-crds-reports: ## Generate reports CRDs
+	@echo Generate reports crds... >&2
+	@rm -rf $(CRDS_PATH)/reports && mkdir -p $(CRDS_PATH)/reports
+	@go run ./hack/controller-gen -- paths=./api/reports/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=$(CRDS_PATH)/reports
 
-.PHONY: codegen-deepcopy-kyverno
-codegen-deepcopy-kyverno: $(CONTROLLER_GEN) $(GOIMPORTS) ## Generate kyverno deep copy functions
-	@echo Generate kyverno deep copy functions... >&2
-	@$(CONTROLLER_GEN) object:headerFile="scripts/boilerplate.go.txt" paths="./api/kyverno/..." && $(GOIMPORTS) -w ./api/kyverno
+.PHONY: codegen-crds-cli
+codegen-crds-cli: ## Generate CLI CRDs
+	@echo Generate cli crds... >&2
+	@rm -rf ${PWD}/cmd/cli/kubectl-kyverno/config/crds && mkdir -p ${PWD}/cmd/cli/kubectl-kyverno/config/crds
+	@go run ./hack/controller-gen -- paths=./cmd/cli/kubectl-kyverno/apis/... crd:crdVersions=v1,ignoreUnexportedFields=true,generateEmbeddedObjectMeta=false output:dir=${PWD}/cmd/cli/kubectl-kyverno/config/crds
 
-.PHONY: codegen-deepcopy-report
-codegen-deepcopy-report: $(CONTROLLER_GEN) $(GOIMPORTS) ## Generate policy reports deep copy functions
-	@echo Generate policy reports deep copy functions... >&2
-	@$(CONTROLLER_GEN) object:headerFile="scripts/boilerplate.go.txt" paths="./api/policyreport/..." && $(GOIMPORTS) -w ./api/policyreport
+.PHONY: codegen-crds-all
+codegen-crds-all: codegen-crds-kyverno codegen-crds-policyreport codegen-crds-reports codegen-cli-crds ## Generate all CRDs
 
-.PHONY: codegen-deepcopy-all
-codegen-deepcopy-all: codegen-deepcopy-kyverno codegen-deepcopy-report ## Generate all deep copy functions
+.PHONY: codegen-helm-docs
+codegen-helm-docs: ## Generate helm docs
+	@echo Generate helm docs... >&2
+	@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file
 
 .PHONY: codegen-api-docs
-codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) ## Generate API docs
+codegen-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) ## Generate API docs
 	@echo Generate api docs... >&2
 	@rm -rf docs/user/crd && mkdir -p docs/user/crd
 	@GOPATH=$(GOPATH_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) -v 4 \
-		-api-dir github.com/kyverno/kyverno/api \
+		-api-dir $(PACKAGE)/api \
 		-config docs/user/config.json \
 		-template-dir docs/user/template \
 		-out-file docs/user/crd/index.html
-
-.PHONY: codegen-helm-docs
-codegen-helm-docs: ## Generate helm docs
-	@echo Generate helm docs... >&2
-	@docker run -v ${PWD}/charts:/work -w /work jnorwood/helm-docs:v1.11.0 -s file
+	@cd ./docs/user && GOPATH=$(GOPATH_SHIM) $(GENREF) \
+		-c config-api.yaml \
+		-o crd \
+		-f html
+
+.PHONY: codegen-cli-api-docs
+codegen-cli-api-docs: $(PACKAGE_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) $(GENREF) ## Generate CLI API docs
+	@echo Generate CLI api docs... >&2
+	@rm -rf docs/user/cli/crd && mkdir -p docs/user/cli/crd
+	@GOPATH=$(GOPATH_SHIM) $(GEN_CRD_API_REFERENCE_DOCS) -v 4 \
+		-api-dir $(PACKAGE)/cmd/cli/kubectl-kyverno/apis \
+		-config docs/user/config.json \
+		-template-dir docs/user/template \
+		-out-file docs/user/cli/crd/index.html
+	@cd ./docs/user && GOPATH=$(GOPATH_SHIM) $(GENREF) \
+		-c config-cli-api.yaml \
+		-o cli/crd \
+		-f html
+
+.PHONY: codegen-cli-docs
+codegen-cli-docs: $(CLI_BIN) ## Generate CLI docs
+	@echo Generate cli docs... >&2
+	@rm -rf docs/user/cli/commands && mkdir -p docs/user/cli/commands
+	@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) docs -o docs/user/cli/commands --autogenTag=false
+
+.PHONY: codegen-cli-crds
+codegen-cli-crds: codegen-crds-kyverno ## Copy generated CRDs to embed in the CLI
+	@echo Copy generated CRDs to embed in the CLI... >&2
+	@rm -rf cmd/cli/kubectl-kyverno/data/crds && mkdir -p cmd/cli/kubectl-kyverno/data/crds
+	@cp config/crds/kyverno/kyverno.io_clusterpolicies.yaml cmd/cli/kubectl-kyverno/data/crds
+	@cp config/crds/kyverno/kyverno.io_policies.yaml cmd/cli/kubectl-kyverno/data/crds
+	@cp config/crds/kyverno/kyverno.io_policyexceptions.yaml cmd/cli/kubectl-kyverno/data/crds
+	@cp cmd/cli/kubectl-kyverno/config/crds/* cmd/cli/kubectl-kyverno/data/crds
+
+.PHONY: codegen-docs-all
+codegen-docs-all: codegen-helm-docs codegen-cli-docs codegen-api-docs codegen-cli-api-docs ## Generate all docs
+
+.PHONY: codegen-fix-tests
+codegen-fix-tests: $(CLI_BIN) ## Fix CLI test files
+	@echo Fix CLI test files... >&2
+	@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix test . --save --compress --force
+
+.PHONY: codegen-fix-policies
+codegen-fix-policies: $(CLI_BIN) ## Fix CLI policy files
+	@echo Fix CLI policy files... >&2
+	@KYVERNO_EXPERIMENTAL=true $(CLI_BIN) fix policy . --save
+
+.PHONY: codegen-cli-all
+codegen-cli-all: codegen-cli-crds codegen-cli-docs codegen-cli-api-docs codegen-fix-tests ## Generate all CLI related code and docs
+
+define generate_crd
+	@echo "{{- if .Values.groups.$(4).$(5) }}" > ./charts/kyverno/charts/crds/templates/$(3)/$(1)
+	@cat $(CRDS_PATH)/$(2)/$(1) \
+		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- end }}' \
+ 		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- toYaml . | nindent 4 }}' \
+		| $(SED) -e '/^  annotations:/a \ \ \ \ {{- with .Values.annotations }}' \
+ 		| $(SED) -e '/^  annotations:/i \ \ labels:' \
+		| $(SED) -e '/^  labels:/a \ \ \ \ {{- include "kyverno.crds.labels" . | nindent 4 }}' \
+		| $(SED) -e 's/(devel)/$(CONTROLLER_GEN_VERSION)/' \
+ 		>> ./charts/kyverno/charts/crds/templates/$(3)/$(1)
+	@echo "{{- end }}" >> ./charts/kyverno/charts/crds/templates/$(3)/$(1)
+endef
 
 .PHONY: codegen-helm-crds
 codegen-helm-crds: codegen-crds-all ## Generate helm CRDs
 	@echo Generate helm crds... >&2
-	@cat $(CRDS_PATH)/* \
-		| $(SED) -e '1i{{- if .Values.installCRDs }}' \
-		| $(SED) -e '$$a{{- end }}' \
- 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- with .Values.crds.annotations }}' \
- 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- toYaml . | nindent 4 }}' \
- 		| $(SED) -e '/^  creationTimestamp: null/i \ \ \ \ {{- end }}' \
- 		| $(SED) -e '/^  creationTimestamp: null/a \ \ \ \ {{- include "kyverno.crdLabels" . | nindent 4 }}' \
- 		| $(SED) -e '/^  creationTimestamp: null/a \ \ labels:' \
- 		| $(SED) -e '/^  creationTimestamp: null/d' \
- 		> ./charts/kyverno/templates/crds.yaml
+	@rm -rf ./charts/kyverno/charts/crds/templates/kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/kyverno.io
+	@rm -rf ./charts/kyverno/charts/crds/templates/reports.kyverno.io && mkdir -p ./charts/kyverno/charts/crds/templates/reports.kyverno.io
+	@rm -rf ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io && mkdir -p ./charts/kyverno/charts/crds/templates/wgpolicyk8s.io
+	$(call generate_crd,kyverno.io_cleanuppolicies.yaml,kyverno,kyverno.io,kyverno,cleanuppolicies)
+	$(call generate_crd,kyverno.io_clustercleanuppolicies.yaml,kyverno,kyverno.io,kyverno,clustercleanuppolicies)
+	$(call generate_crd,kyverno.io_clusterpolicies.yaml,kyverno,kyverno.io,kyverno,clusterpolicies)
+	$(call generate_crd,kyverno.io_globalcontextentries.yaml,kyverno,kyverno.io,kyverno,globalcontextentries)
+	$(call generate_crd,kyverno.io_policies.yaml,kyverno,kyverno.io,kyverno,policies)
+	$(call generate_crd,kyverno.io_policyexceptions.yaml,kyverno,kyverno.io,kyverno,policyexceptions)
+	$(call generate_crd,kyverno.io_updaterequests.yaml,kyverno,kyverno.io,kyverno,updaterequests)
+	$(call generate_crd,reports.kyverno.io_clusterephemeralreports.yaml,reports,reports.kyverno.io,reports,clusterephemeralreports)
+	$(call generate_crd,reports.kyverno.io_ephemeralreports.yaml,reports,reports.kyverno.io,reports,ephemeralreports)
+	$(call generate_crd,wgpolicyk8s.io_clusterpolicyreports.yaml,policyreport,wgpolicyk8s.io,wgpolicyk8s,clusterpolicyreports)
+	$(call generate_crd,wgpolicyk8s.io_policyreports.yaml,policyreport,wgpolicyk8s.io,wgpolicyk8s,policyreports)
 
 .PHONY: codegen-helm-all
 codegen-helm-all: codegen-helm-crds codegen-helm-docs ## Generate helm docs and CRDs
 
-.PHONY: codegen-manifest-install
-codegen-manifest-install: $(HELM) ## Create install manifest
-	@echo Generate install manifest... >&2
-	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+.PHONY: codegen-manifest-install-latest
+codegen-manifest-install-latest: $(HELM) ## Create install_latest manifest
+	@echo Generate latest install manifest... >&2
+	@$(HELM) template kyverno --kube-version $(KUBE_VERSION) --namespace kyverno --skip-tests ./charts/kyverno \
 		--set templating.enabled=true \
 		--set templating.version=latest \
+		--set admissionController.container.image.tag=latest \
+		--set admissionController.initContainer.image.tag=latest \
 		--set cleanupController.image.tag=latest \
-		--set image.tag=latest \
-		--set initImage.tag=latest \
+		--set reportsController.image.tag=latest \
+		--set backgroundController.image.tag=latest \
  		| $(SED) -e '/^#.*/d' \
-		> ./config/install.yaml
+		> ./config/install-latest-testing.yaml
 
 .PHONY: codegen-manifest-debug
 codegen-manifest-debug: $(HELM) ## Create debug manifest
 	@echo Generate debug manifest... >&2
 	@mkdir -p ./.manifest
-	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+	@$(HELM) template kyverno --kube-version $(KUBE_VERSION) --namespace kyverno --skip-tests ./charts/kyverno \
 		--set templating.enabled=true \
 		--set templating.version=latest \
 		--set templating.debug=true \
+		--set admissionController.container.image.tag=latest \
+		--set admissionController.initContainer.image.tag=latest \
 		--set cleanupController.image.tag=latest \
-		--set image.tag=latest \
-		--set initImage.tag=latest \
+		--set reportsController.image.tag=latest \
  		| $(SED) -e '/^#.*/d' \
 		> ./.manifest/debug.yaml
 
-# guidance https://github.com/kyverno/kyverno/wiki/Generate-a-Release
 .PHONY: codegen-manifest-release
 codegen-manifest-release: $(HELM) ## Create release manifest
 	@echo Generate release manifest... >&2
 	@mkdir -p ./.manifest
-	@$(HELM) template kyverno --namespace kyverno --skip-tests ./charts/kyverno \
+	@$(HELM) template kyverno --kube-version $(KUBE_VERSION) --namespace kyverno --skip-tests ./charts/kyverno \
 		--set templating.enabled=true \
-		--set templating.version=$(GIT_VERSION) \
-		--set cleanupController.image.tag=$(GIT_VERSION) \
-		--set image.tag=$(GIT_VERSION) \
-		--set initImage.tag=$(GIT_VERSION) \
+		--set templating.version=$(VERSION) \
+		--set admissionController.container.image.tag=$(VERSION) \
+		--set admissionController.initContainer.image.tag=$(VERSION) \
+		--set cleanupController.image.tag=$(VERSION) \
+		--set reportsController.image.tag=$(VERSION) \
  		| $(SED) -e '/^#.*/d' \
 		> ./.manifest/release.yaml
 
-
 .PHONY: codegen-manifest-all
-codegen-manifest-all: codegen-manifest-install codegen-manifest-debug codegen-manifest-release ## Create all manifests
+codegen-manifest-all: codegen-manifest-install-latest codegen-manifest-debug ## Create all manifests
+
+.PHONY: codegen-helm-update-versions
+codegen-helm-update-versions: ## Update helm charts versions
+	@echo Updating Chart.yaml files... >&2
+	@$(SED) -i 's/version: .*/version: $(POLICIES_CHART_VERSION)/' 		charts/kyverno-policies/Chart.yaml
+	@$(SED) -i 's/appVersion: .*/appVersion: $(APP_CHART_VERSION)/' 	charts/kyverno-policies/Chart.yaml
+	@$(SED) -i 's/kubeVersion: .*/kubeVersion: $(KUBE_CHART_VERSION)/' 	charts/kyverno-policies/Chart.yaml
+	@$(SED) -i 's/version: .*/version: $(KYVERNO_CHART_VERSION)/' 		charts/kyverno/Chart.yaml
+	@$(SED) -i 's/appVersion: .*/appVersion: $(APP_CHART_VERSION)/' 	charts/kyverno/Chart.yaml
+	@$(SED) -i 's/kubeVersion: .*/kubeVersion: $(KUBE_CHART_VERSION)/' 	charts/kyverno/Chart.yaml
+	@$(SED) -i 's/version: .*/version: $(KYVERNO_CHART_VERSION)/' 		charts/kyverno/charts/crds/Chart.yaml
+	@$(SED) -i 's/appVersion: .*/appVersion: $(APP_CHART_VERSION)/' 	charts/kyverno/charts/crds/Chart.yaml
+	@$(SED) -i 's/kubeVersion: .*/kubeVersion: $(KUBE_CHART_VERSION)/' 	charts/kyverno/charts/crds/Chart.yaml
+	@$(SED) -i 's/version: .*/version: $(KYVERNO_CHART_VERSION)/' 		charts/kyverno/charts/grafana/Chart.yaml
+	@$(SED) -i 's/appVersion: .*/appVersion: $(APP_CHART_VERSION)/' 	charts/kyverno/charts/grafana/Chart.yaml
+	@$(SED) -i 's/kubeVersion: .*/kubeVersion: $(KUBE_CHART_VERSION)/' 	charts/kyverno/charts/grafana/Chart.yaml
 
 .PHONY: codegen-quick
-codegen-quick: codegen-deepcopy-all codegen-crds-all codegen-api-docs codegen-helm-all codegen-manifest-all ## Generate all generated code except client
+codegen-quick: codegen-deepcopy codegen-crds-all codegen-docs-all codegen-helm-all codegen-manifest-all ## Generate all generated code except client
 
 .PHONY: codegen-slow
 codegen-slow: codegen-client-all ## Generate client code
@@ -477,15 +693,6 @@ codegen-slow: codegen-client-all ## Generate client code
 .PHONY: codegen-all
 codegen-all: codegen-quick codegen-slow ## Generate all generated code
 
-# .PHONY: codegen-openapi
-# codegen-openapi: $(PACKAGE_SHIM) $(OPENAPI_GEN) ## Generate open api code
-# 	@echo Generate open api definitions... >&2
-# 	@GOPATH=$(GOPATH_SHIM) $(OPENAPI_GEN) --go-header-file ./scripts/boilerplate.go.txt \
-# 		--input-dirs $(INPUT_DIRS) \
-# 		--input-dirs  k8s.io/apimachinery/pkg/apis/meta/v1,k8s.io/apimachinery/pkg/runtime,k8s.io/apimachinery/pkg/version \
-# 		--output-package $(OUT_PACKAGE)/openapi \
-# 		-O zz_generated.openapi
-
 ##################
 # VERIFY CODEGEN #
 ##################
@@ -511,19 +718,19 @@ verify-client: codegen-client-all ## Check client is up to date
 	@git diff --ignore-space-change --quiet --exit-code pkg/clients
 
 .PHONY: verify-deepcopy
-verify-deepcopy: codegen-deepcopy-all ## Check deepcopy functions are up to date
+verify-deepcopy: codegen-deepcopy ## Check deepcopy functions are up to date
 	@echo Checking deepcopy functions are up to date... >&2
 	@git --no-pager diff api
-	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-deepcopy-all".' >&2
-	@echo 'To correct this, locally run "make codegen-deepcopy-all", commit the changes, and re-run tests.' >&2
+	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-deepcopy".' >&2
+	@echo 'To correct this, locally run "make codegen-deepcopy", commit the changes, and re-run tests.' >&2
 	@git diff --quiet --exit-code api
 
-.PHONY: verify-api-docs
-verify-api-docs: codegen-api-docs ## Check api reference docs are up to date
-	@echo Checking api reference docs are up to date... >&2
+.PHONY: verify-docs
+verify-docs: codegen-docs-all ## Check docs are up to date
+	@echo Checking docs are up to date... >&2
 	@git --no-pager diff docs/user
-	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-api-docs".' >&2
-	@echo 'To correct this, locally run "make codegen-api-docs", commit the changes, and re-run tests.' >&2
+	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-docs-all".' >&2
+	@echo 'To correct this, locally run "make codegen-docs-all", commit the changes, and re-run tests.' >&2
 	@git diff --quiet --exit-code docs/user
 
 .PHONY: verify-helm
@@ -534,16 +741,32 @@ verify-helm: codegen-helm-all ## Check Helm charts are up to date
 	@echo 'To correct this, locally run "make codegen-helm-all", commit the changes, and re-run tests.' >&2
 	@git diff --quiet --exit-code charts
 
-.PHONY: verify-manifest-install
-verify-manifest-install: codegen-manifest-install ## Check install manifest is up to date
-	@echo Checking install manifest is up to date... >&2
-	@git --no-pager diff config/install.yaml
-	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-helm-all".' >&2
-	@echo 'To correct this, locally run "make codegen-helm-all", commit the changes, and re-run tests.' >&2
-	@git diff --quiet --exit-code config/install.yaml
+.PHONY: verify-manifests
+verify-manifests: codegen-manifest-all ## Check manifests are up to date
+	@echo Checking manifests are up to date... >&2
+	@git --no-pager diff ${INSTALL_MANIFEST_PATH}
+	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-manifest-all".' >&2
+	@echo 'To correct this, locally run "make codegen-manifest-all", commit the changes, and re-run tests.' >&2
+	@git diff --quiet --exit-code ${INSTALL_MANIFEST_PATH}
+
+.PHONY: verify-cli-crds
+verify-cli-crds: codegen-cli-crds ## Check generated CRDs to be embedded in the CLI are up to date
+	@echo Checking generated CRDs to be embedded in the CLI are up to date... >&2
+	@git --no-pager diff cmd/cli/kubectl-kyverno/data/crds
+	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-cli-crds".' >&2
+	@echo 'To correct this, locally run "make codegen-cli-crds", commit the changes, and re-run tests.' >&2
+	@git diff --quiet --exit-code cmd/cli/kubectl-kyverno/data/crds
+
+.PHONY: verify-cli-tests
+verify-cli-tests: ## Check CLI test files are up to date
+	@echo Checking CLI test files are up to date... >&2
+	@git --no-pager diff test/cli
+	@echo 'If this test fails, it is because the git diff is non-empty after running "make codegen-fix-tests".' >&2
+	@echo 'To correct this, locally run "make codegen-fix-tests", commit the changes, and re-run tests.' >&2
+	@git diff --quiet --exit-code test/cli
 
 .PHONY: verify-codegen
-verify-codegen: verify-crds verify-client verify-deepcopy verify-api-docs verify-helm verify-manifest-install ## Verify all generated code and docs are up to date
+verify-codegen: verify-crds verify-client verify-deepcopy verify-docs verify-helm verify-manifests verify-cli-crds ## Verify all generated code and docs are up to date
 
 ##############
 # UNIT TESTS #
@@ -559,7 +782,7 @@ test: test-clean test-unit ## Clean tests cache then run unit tests
 .PHONY: test-clean
 test-clean: ## Clean tests cache
 	@echo Clean test cache... >&2
-	@go clean -testcache ./...
+	@go clean -testcache
 
 .PHONY: test-unit
 test-unit: test-clean $(GO_ACC) ## Run unit tests
@@ -573,75 +796,70 @@ code-cov-report: test-clean ## Generate code coverage report
 	@go tool cover -func=coverage.out -o $(CODE_COVERAGE_FILE_TXT)
 	@go tool cover -html=coverage.out -o $(CODE_COVERAGE_FILE_HTML)
 
-#####################
-# CONFORMANCE TESTS #
-#####################
-
-.PHONY: test-conformance
-test-conformance: ## Run conformance tests
-	@echo Running conformance tests... >&2
-	@go run ./test/conformance
-
-.PHONY: kind-test-conformance
-kind-test-conformance: kind-deploy-kyverno ## Run conformance tests on a local cluster
-	@echo Running conformance tests... >&2
-	@go run ./test/conformance --create-cluster=false
-
-###############
-# KUTTL TESTS #
-###############
-
-.PHONY: test-kuttl
-test-kuttl: $(KUTTL) ## Run kuttl tests
-	@echo Running kuttl tests... >&2
-	@$(KUTTL) test --config ./test/conformance/kuttl/kuttl-test.yaml
-
 #############
 # CLI TESTS #
 #############
 
 TEST_GIT_BRANCH ?= main
+TEST_GIT_REPO   ?= https://github.com/kyverno/policies
 
 .PHONY: test-cli
-test-cli: test-cli-policies test-cli-local test-cli-local-mutate test-cli-local-generate test-cli-test-case-selector-flag test-cli-registry ## Run all CLI tests
+test-cli: test-cli-policies test-cli-local ## Run all CLI tests
 
 .PHONY: test-cli-policies
-test-cli-policies: $(CLI_BIN)
-	@$(CLI_BIN) test https://github.com/kyverno/policies/$(TEST_GIT_BRANCH)
+test-cli-policies: $(CLI_BIN) ## Run CLI tests against the policies repository
+	@echo Running cli tests against $(TEST_GIT_REPO)/$(TEST_GIT_BRANCH)... >&2
+	@$(CLI_BIN) test $(TEST_GIT_REPO)/$(TEST_GIT_BRANCH)
 
 .PHONY: test-cli-local
-test-cli-local: $(CLI_BIN)
+test-cli-local: test-cli-local-validate test-cli-local-mutate test-cli-local-generate test-cli-local-registry test-cli-local-scenarios test-cli-local-selector ## Run local CLI tests
+
+.PHONY: test-cli-local-validate
+test-cli-local-validate: $(CLI_BIN) ## Run local CLI validation tests
+	@echo Running local cli validation tests... >&2
 	@$(CLI_BIN) test ./test/cli/test
 
 .PHONY: test-cli-local-mutate
-test-cli-local-mutate: $(CLI_BIN)
+test-cli-local-mutate: $(CLI_BIN) ## Run local CLI mutation tests
+	@echo Running local cli mutation tests... >&2
 	@$(CLI_BIN) test ./test/cli/test-mutate
 
 .PHONY: test-cli-local-generate
-test-cli-local-generate: $(CLI_BIN)
+test-cli-local-generate: $(CLI_BIN) ## Run local CLI generation tests
+	@echo Running local cli generation tests... >&2
 	@$(CLI_BIN) test ./test/cli/test-generate
 
-.PHONY: test-cli-test-case-selector-flag
-test-cli-test-case-selector-flag: $(CLI_BIN)
+.PHONY: test-cli-local-selector
+test-cli-local-selector: $(CLI_BIN) ## Run local CLI tests (with test case selector)
+	@echo Running local cli selector tests... >&2
 	@$(CLI_BIN) test ./test/cli/test --test-case-selector "policy=disallow-latest-tag, rule=require-image-tag, resource=test-require-image-tag-pass"
 
-.PHONY: test-cli-registry
-test-cli-registry: $(CLI_BIN)
+.PHONY: test-cli-local-registry
+test-cli-local-registry: $(CLI_BIN) ## Run local CLI registry tests
+	@echo Running local cli registry tests... >&2
 	@$(CLI_BIN) test ./test/cli/registry --registry
 
-##################################
-# Testing & Code-Coverage
-##################################
+.PHONY: test-cli-local-scenarios
+test-cli-local-scenarios: $(CLI_BIN) ## Run local CLI scenarios tests
+	@echo Running local cli scenarios tests... >&2
+	@$(CLI_BIN) test ./test/cli/scenarios_to_cli --registry
 
-helm-test-values:
-	sed -i -e "s|nameOverride:.*|nameOverride: kyverno|g" charts/kyverno/values.yaml
-	sed -i -e "s|fullnameOverride:.*|fullnameOverride: kyverno|g" charts/kyverno/values.yaml
-	sed -i -e "s|namespace:.*|namespace: kyverno|g" charts/kyverno/values.yaml
-	sed -i -e "s|tag:  # replaced in e2e tests.*|tag: $(IMAGE_TAG_DEV)|" charts/kyverno/values.yaml
-	sed -i -e "s|repository: ghcr.io/kyverno/kyvernopre  # init: replaced in e2e tests|repository: $(LOCAL_KYVERNOPRE_IMAGE)|" charts/kyverno/values.yaml
-	sed -i -e "s|repository: ghcr.io/kyverno/kyverno  # kyverno: replaced in e2e tests|repository: $(LOCAL_KYVERNO_IMAGE)|" charts/kyverno/values.yaml
+#############
+# HELM TEST #
+#############
+
+.PHONY: helm-test
+helm-test: $(HELM) ## Run helm test
+	@echo Running helm test... >&2
+	@$(HELM) test --namespace kyverno kyverno
 
-release-notes:
+#################
+# RELEASE NOTES #
+#################
+
+.PHONY: release-notes
+release-notes: ## Generate release notes
+	@echo Generating release notes... >&2
 	@bash -c 'while IFS= read -r line ; do if [[ "$$line" == "## "* && "$$line" != "## $(VERSION)" ]]; then break ; fi; echo "$$line"; done < "CHANGELOG.md"' \
 	true
 
@@ -653,18 +871,6 @@ release-notes:
 debug-deploy: codegen-manifest-debug ## Install debug manifests
 	@kubectl create -f ./.manifest/debug.yaml || kubectl replace -f ./.manifest/debug.yaml
 
-##########
-# GITHUB #
-##########
-
-.PHONY: gh-install-pin-github-action
-gh-install-pin-github-action:
-	@npm install -g pin-github-action
-
-.PHONY: gh-pin-actions
-gh-pin-actions: gh-install-pin-github-action
-	@pin-github-action ./.github/workflows/release.yaml
-
 #############
 # PERF TEST #
 #############
@@ -673,7 +879,7 @@ PERF_TEST_NODE_COUNT		?= 3
 PERF_TEST_MEMORY_REQUEST	?= "1Gi"
 
 .PHONY: test-perf
-test-perf: $(PACKAGE_SHIM)
+test-perf: $(PACKAGE_SHIM) ## Run perf tests
 	GO111MODULE=off GOPATH=$(GOPATH_SHIM) go get k8s.io/perf-tests || true
 	cd $(GOPATH_SHIM)/src/k8s.io/perf-tests && \
 	GOPATH=$(GOPATH_SHIM) ./run-e2e.sh cluster-loader2 \
@@ -697,6 +903,21 @@ test-perf: $(PACKAGE_SHIM)
 		--v=2 \
 		--report-dir=.
 
+##########
+# DOCKER #
+##########
+
+.PHONY: docker-save-image-all
+docker-save-image-all: $(KIND) image-build-all ## Save docker images in archive
+	docker save \
+		$(LOCAL_REGISTRY)/$(LOCAL_KYVERNOPRE_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_KYVERNO_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_CLEANUP_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_REPORTS_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_BACKGROUND_REPO):$(GIT_SHA) \
+		$(LOCAL_REGISTRY)/$(LOCAL_CLI_REPO):$(GIT_SHA) \
+	> kyverno.tar
+
 ########
 # KIND #
 ########
@@ -704,48 +925,99 @@ test-perf: $(PACKAGE_SHIM)
 .PHONY: kind-create-cluster
 kind-create-cluster: $(KIND) ## Create kind cluster
 	@echo Create kind cluster... >&2
-	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./scripts/config/kind.yaml
+	@$(KIND) create cluster --name $(KIND_NAME) --image $(KIND_IMAGE) --config ./scripts/config/kind/$(KIND_CONFIG).yaml
 
 .PHONY: kind-delete-cluster
 kind-delete-cluster: $(KIND) ## Delete kind cluster
 	@echo Delete kind cluster... >&2
 	@$(KIND) delete cluster --name $(KIND_NAME)
 
-.PHONY: kind-load-kyvernopre
-kind-load-kyvernopre: $(KIND) image-build-kyvernopre ## Build kyvernopre image and load it in kind cluster
+.PHONY: kind-load-kyverno-init
+kind-load-kyverno-init: $(KIND) image-build-kyverno-init ## Build kyvernopre image and load it in kind cluster
 	@echo Load kyvernopre image... >&2
-	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_KYVERNOPRE_IMAGE):$(IMAGE_TAG_DEV)
+	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_KYVERNOPRE_REPO):$(GIT_SHA)
+
+.PHONY: kind-load-cli
+kind-load-cli: $(KIND) image-build-cli ## Build cli image and load it in kind cluster
+	@echo Load cli image... >&2
+	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_CLI_REPO):$(GIT_SHA)
 
 .PHONY: kind-load-kyverno
 kind-load-kyverno: $(KIND) image-build-kyverno ## Build kyverno image and load it in kind cluster
 	@echo Load kyverno image... >&2
-	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_KYVERNO_IMAGE):$(IMAGE_TAG_DEV)
+	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_KYVERNO_REPO):$(GIT_SHA)
 
 .PHONY: kind-load-cleanup-controller
 kind-load-cleanup-controller: $(KIND) image-build-cleanup-controller ## Build cleanup controller image and load it in kind cluster
 	@echo Load cleanup controller image... >&2
-	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_CLEANUP_IMAGE):$(IMAGE_TAG_DEV)
+	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_CLEANUP_REPO):$(GIT_SHA)
+
+.PHONY: kind-load-reports-controller
+kind-load-reports-controller: $(KIND) image-build-reports-controller ## Build reports controller image and load it in kind cluster
+	@echo Load reports controller image... >&2
+	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_REPORTS_REPO):$(GIT_SHA)
+
+.PHONY: kind-load-background-controller
+kind-load-background-controller: $(KIND) image-build-background-controller ## Build background controller image and load it in kind cluster
+	@echo Load background controller image... >&2
+	@$(KIND) load docker-image --name $(KIND_NAME) $(LOCAL_REGISTRY)/$(LOCAL_BACKGROUND_REPO):$(GIT_SHA)
 
 .PHONY: kind-load-all
-kind-load-all: kind-load-kyvernopre kind-load-kyverno kind-load-cleanup-controller ## Build images and load them in kind cluster
+kind-load-all: ## Build images and load them in kind cluster
+kind-load-all: kind-load-kyverno-init
+kind-load-all: kind-load-kyverno
+kind-load-all: kind-load-cleanup-controller
+kind-load-all: kind-load-reports-controller
+kind-load-all: kind-load-background-controller
+kind-load-all: kind-load-cli
+
+.PHONY: kind-load-image-archive
+kind-load-image-archive: $(KIND) ## Load docker images from archive
+	@echo Load image archive in kind cluster... >&2
+	@$(KIND) load image-archive kyverno.tar --name $(KIND_NAME)
+
+.PHONY: kind-install-kyverno
+kind-install-kyverno: $(HELM) ## Install kyverno helm chart
+	@echo Install kyverno chart... >&2
+	@$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait ./charts/kyverno \
+		--set admissionController.container.image.registry=$(LOCAL_REGISTRY) \
+		--set admissionController.container.image.repository=$(LOCAL_KYVERNO_REPO) \
+		--set admissionController.container.image.tag=$(GIT_SHA) \
+		--set admissionController.initContainer.image.registry=$(LOCAL_REGISTRY) \
+		--set admissionController.initContainer.image.repository=$(LOCAL_KYVERNOPRE_REPO) \
+		--set admissionController.initContainer.image.tag=$(GIT_SHA) \
+		--set cleanupController.image.registry=$(LOCAL_REGISTRY) \
+		--set cleanupController.image.repository=$(LOCAL_CLEANUP_REPO) \
+		--set cleanupController.image.tag=$(GIT_SHA) \
+		--set reportsController.image.registry=$(LOCAL_REGISTRY) \
+		--set reportsController.image.repository=$(LOCAL_REPORTS_REPO) \
+		--set reportsController.image.tag=$(GIT_SHA) \
+		--set backgroundController.image.registry=$(LOCAL_REGISTRY) \
+		--set backgroundController.image.repository=$(LOCAL_BACKGROUND_REPO) \
+		--set backgroundController.image.tag=$(GIT_SHA) \
+		--set crds.migration.image.registry=$(LOCAL_REGISTRY) \
+		--set crds.migration.image.repository=$(LOCAL_CLI_REPO) \
+		--set crds.migration.image.tag=$(GIT_SHA) \
+		$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno.yaml)
+
+.PHONY: kind-install-goldilocks
+kind-install-goldilocks: $(HELM) ## Install goldilocks helm chart
+	@echo Install goldilocks chart... >&2
+	@$(HELM) upgrade --install vpa --namespace vpa --create-namespace --wait \
+		--repo https://charts.fairwinds.com/stable vpa
+	@$(HELM) upgrade --install goldilocks --namespace goldilocks --create-namespace --wait \
+		--repo https://charts.fairwinds.com/stable goldilocks
+	kubectl label ns kyverno goldilocks.fairwinds.com/enabled=true
 
 .PHONY: kind-deploy-kyverno
 kind-deploy-kyverno: $(HELM) kind-load-all ## Build images, load them in kind cluster and deploy kyverno helm chart
-	@echo Install kyverno chart... >&2
-	@$(HELM) upgrade --install kyverno --namespace kyverno --create-namespace --wait ./charts/kyverno \
-		--set cleanupController.image.repository=$(LOCAL_CLEANUP_IMAGE) \
-		--set cleanupController.image.tag=$(IMAGE_TAG_DEV) \
-		--set image.repository=$(LOCAL_KYVERNO_IMAGE) \
-		--set image.tag=$(IMAGE_TAG_DEV) \
-		--set initImage.repository=$(LOCAL_KYVERNOPRE_IMAGE) \
-		--set initImage.tag=$(IMAGE_TAG_DEV) \
-		--values ./scripts/config/$(USE_CONFIG)/kyverno.yaml
+	@$(MAKE) kind-install-kyverno
 
 .PHONY: kind-deploy-kyverno-policies
 kind-deploy-kyverno-policies: $(HELM) ## Deploy kyverno-policies helm chart
 	@echo Install kyverno-policies chart... >&2
 	@$(HELM) upgrade --install kyverno-policies --namespace kyverno --create-namespace --wait ./charts/kyverno-policies \
-		--values ./scripts/config/$(USE_CONFIG)/kyverno-policies.yaml
+		$(foreach CONFIG,$(subst $(COMMA), ,$(USE_CONFIG)),--values ./scripts/config/$(CONFIG)/kyverno-policies.yaml)
 
 .PHONY: kind-deploy-all
 kind-deploy-all: | kind-deploy-kyverno kind-deploy-kyverno-policies ## Build images, load them in kind cluster and deploy helm charts
@@ -758,6 +1030,25 @@ kind-deploy-reporter: $(HELM) ## Deploy policy-reporter helm chart
 		--values ./scripts/config/standard/kyverno-reporter.yaml
 	@kubectl port-forward -n policy-reporter services/policy-reporter-ui  8082:8080
 
+###########
+# ROLLOUT #
+###########
+
+.PHONY: rollout-cleanup-controller
+rollout-cleanup-controller: ## Rollout cleanup-controller deployment
+	@kubectl rollout restart deployment -n kyverno -l app.kubernetes.io/component=cleanup-controller
+
+.PHONY: rollout-reports-controller
+rollout-reports-controller: ## Rollout reports-controller deployment
+	@kubectl rollout restart deployment -n kyverno -l app.kubernetes.io/component=reports-controller
+
+.PHONY: rollout-admission-controller
+rollout-admission-controller: ## Rollout admission-controller deployment
+	@kubectl rollout restart deployment -n kyverno -l app.kubernetes.io/component=admission-controller
+
+.PHONY: rollout-all
+rollout-all: rollout-cleanup-controller rollout-reports-controller rollout-admission-controller ## Rollout all deployment
+
 ###########
 # DEV LAB #
 ###########
@@ -791,6 +1082,13 @@ dev-lab-tempo: $(HELM) ## Deploy tempo helm chart
 		--values ./scripts/config/dev/tempo.yaml
 	@kubectl apply -f ./scripts/config/dev/tempo-datasource.yaml
 
+.PHONY: dev-lab-otel-collector
+dev-lab-otel-collector: $(HELM) ## Deploy tempo helm chart
+	@echo Install otel-collector chart... >&2
+	@$(HELM) upgrade --install opentelemetry-collector --namespace monitoring --create-namespace --wait \
+		--repo https://open-telemetry.github.io/opentelemetry-helm-charts opentelemetry-collector \
+		--values ./scripts/config/dev/otel-collector.yaml
+
 .PHONY: dev-lab-metrics-server
 dev-lab-metrics-server: $(HELM) ## Deploy metrics-server helm chart
 	@echo Install metrics-server chart... >&2
@@ -799,7 +1097,18 @@ dev-lab-metrics-server: $(HELM) ## Deploy metrics-server helm chart
 		--values ./scripts/config/dev/metrics-server.yaml
 
 .PHONY: dev-lab-all
-dev-lab-all: dev-lab-ingress-ngingx dev-lab-metrics-server dev-lab-prometheus dev-lab-loki dev-lab-tempo
+dev-lab-all: dev-lab-ingress-ngingx dev-lab-metrics-server dev-lab-prometheus dev-lab-loki dev-lab-tempo dev-lab-otel-collector ## Deploy all dev lab components
+
+.PHONY: dev-lab-policy-reporter
+dev-lab-policy-reporter: $(HELM) ## Deploy policy-reporter helm chart
+	@echo Install policy-reporter chart... >&2
+	@$(HELM) upgrade --install policy-reporter --namespace policy-reporter --create-namespace --wait \
+		--repo https://kyverno.github.io/policy-reporter policy-reporter \
+		--values ./scripts/config/dev/policy-reporter.yaml
+
+.PHONY: dev-lab-kwok
+dev-lab-kwok: ## Deploy kwok
+	@kubectl apply -k ./scripts/config/kwok
 
 ########
 # HELP #
diff --git a/README.md b/README.md
index 55ea62f73b97..75db6e5321fc 100644
--- a/README.md
+++ b/README.md
@@ -1,27 +1,36 @@
-# Kyverno [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Kubernetes%20Native%20Policy%20Management.%20No%20new%20language%20required%21&url=https://github.com/kyverno/kyverno/&hashtags=kubernetes,devops)
+# Kyverno [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Cloud%20Native%20Policy%20Management.%20No%20new%20language%20required%21&url=https://github.com/kyverno/kyverno/&hashtags=kubernetes,devops)
 
-**Kubernetes Native Policy Management 🎉**
+**Cloud Native Policy Management 🎉**
 
-![build](https://github.com/kyverno/kyverno/workflows/build/badge.svg)
-![releaser](https://github.com/kyverno/kyverno/workflows/releaser/badge.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/kyverno/kyverno)](https://goreportcard.com/report/github.com/kyverno/kyverno)
 ![License: Apache-2.0](https://img.shields.io/github/license/kyverno/kyverno?color=blue)
 [![GitHub Repo stars](https://img.shields.io/github/stars/kyverno/kyverno)](https://github.com/kyverno/kyverno/stargazers)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5327/badge)](https://bestpractices.coreinfrastructure.org/projects/5327)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kyverno/kyverno/badge)](https://api.securityscorecards.dev/projects/github.com/kyverno/kyverno)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/kyverno/kyverno/badge)](https://securityscorecards.dev/viewer/?uri=github.com/kyverno/kyverno)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kyverno)](https://artifacthub.io/packages/search?repo=kyverno)
 [![codecov](https://codecov.io/gh/kyverno/kyverno/branch/main/graph/badge.svg)](https://app.codecov.io/gh/kyverno/kyverno/branch/main)
-
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkyverno%2Fkyverno.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkyverno%2Fkyverno?ref=badge_shield)
 
 
 ![logo](img/Kyverno_Horizontal.png)
 
 

-Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans. Kyverno policies are Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
+Kyverno is a policy engine designed for cloud native platform engineering teams. It enables security, automation, compliance, and governance using policy-as-code. Kyverno can validate, mutate, generate, and cleanup configurations using Kubernetes admission controls, background scans, and source code respository scans. Kyverno policies can also be used to verify OCI images, for software supply chain security. Kyverno policies can be managed as Kubernetes resources and do not require learning a new language. Kyverno is designed to work nicely with tools you already use like kubectl, kustomize, and Git.
 

 
+ Open Source Security Index - Fastest Growing Open Source Security Projects
+
+
 ## 📙 Documentation
 
-Kyverno installation and reference documents are available at kyverno.io.
+Kyverno installation and reference documents are available at [kyverno.io] (https://kyverno.io).
 
 👉 **[Quick Start](https://kyverno.io/docs/introduction/#quick-start)**
 
@@ -37,9 +46,9 @@ We are here to help!
 
 👉 For discussions or questions, join the [Kyverno Slack channel](https://slack.k8s.io/#kyverno).
 
-👉 For community meeting access, join the [mailing list](https://groups.google.com/g/kyverno).
+👉 For community meeting access, see [mailing list](https://kyverno.io/community/#community-meetings).
 
-👉 To get updates ⭐️ [star this repository](https://github.com/kyverno/kyverno/stargazers).
+👉 To get follow updates ⭐️ [star this repository](https://github.com/kyverno/kyverno/stargazers).
 
 ## ➕ Contributing
 
@@ -55,6 +64,10 @@ Thanks for your interest in contributing to Kyverno! Here are some steps to help
 
 ✔ Check out the Kyverno [Community page](https://kyverno.io/community/) for other ways to get involved.
 
+## Software Bill of Materials
+
+All Kyverno images include a Software Bill of Materials (SBOM) in [CycloneDX](https://cyclonedx.org/) JSON format. SBOMs for Kyverno images are stored in a separate repository at `ghcr.io/kyverno/sbom`. More information on this is available at [Fetching the SBOM for Kyverno](https://kyverno.io/docs/security/#fetching-the-sbom-for-kyverno). 
+
 ## Contributors
 
 Kyverno is built and maintained by our growing community of contributors!
@@ -64,3 +77,9 @@ Kyverno is built and maintained by our growing community of contributors!
 
 
 Made with [contributors-img](https://contrib.rocks).
+
+## License
+
+Copyright 2024, the Kyverno project. All rights reserved. Kyverno is licensed under the [Apache License 2.0](LICENSE).
+
+Kyverno is a [Cloud Native Computing Foundation (CNCF) Incubating project](https://www.cncf.io/projects/) and was contributed by [Nirmata](https://nirmata.com/?utm_source=github&utm_medium=repository).
diff --git a/ROADMAP.md b/ROADMAP.md
new file mode 100644
index 000000000000..9af88690a75b
--- /dev/null
+++ b/ROADMAP.md
@@ -0,0 +1,3 @@
+# Roadmap
+
+Kyverno features are planned and tracked via [Release Tracker board](https://github.com/orgs/kyverno/projects/9/views/1). The design details are tracked via [Kyverno Design Proposals (KDP)](https://github.com/kyverno/KDP). The full release roadmaps are managed via [release milestones on GitHub](https://github.com/kyverno/kyverno/milestones?direction=asc&sort=due_date&state=open).
diff --git a/SECURITY-INSIGHTS.yml b/SECURITY-INSIGHTS.yml
new file mode 100644
index 000000000000..f9ad0a8a73f0
--- /dev/null
+++ b/SECURITY-INSIGHTS.yml
@@ -0,0 +1,62 @@
+header:
+  schema-version: 1.0.0
+  expiration-date: '2025-01-15T01:00:00.000Z'
+  project-url: 'https://github.com/kyverno/kyverno'
+  license: 'https://github.com/kyverno/kyverno/blob/main/LICENSE'
+project-lifecycle:
+  bug-fixes-only: false
+  core-maintainers:
+    - https://github.com/kyverno/kyverno/blob/main/MAINTAINERS.md
+  status: active
+  release-process: 'https://github.com/kyverno/kyverno/releases'
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  automated-tools-list:
+    - automated-tool: dependabot
+      action: allowed
+      path:
+        - /
+  contributing-policy: 'https://github.com/kyverno/kyverno/blob/main/CONTRIBUTING.md'
+  code-of-conduct:
+  - 'https://github.com/kyverno/kyverno/blob/main/CODE_OF_CONDUCT.md'
+documentation:
+  - 'https://kyverno.io/docs/'
+distribution-points:
+  - 'https://github.com/orgs/kyverno/packages'
+security-artifacts:
+  threat-model:
+    threat-model-created: true
+    evidence-url:
+    - 'https://kyverno.io/docs/security/#threat-model'
+  self-assessment:
+    self-assessment-created: true
+    evidence-url:
+    - https://github.com/cncf/tag-security/blob/main/assessments/projects/kyverno/self-assessment.md
+security-testing:
+- tool-type: sca
+  tool-name: Dependabot
+  tool-version: "2"
+  tool-url: https://github.com/dependabot
+  integration:
+    ad-hoc: false
+    ci: true
+    before-release: true 
+security-contacts:
+- type: email
+  value: kyverno-security@googlegroups.com
+  primary: true
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: kyverno-security@googlegroups.com
+  security-policy: 'https://kyverno.io/docs/security/'
+  bug-bounty-available: false
+  bug-bounty-url: ''
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+  - 'https://github.com/kyverno/kyverno/blob/main/go.mod'
+  dependencies-lifecycle:
+    policy-url: 'https://kyverno.io/docs/installation/#compatibility-matrix'
+  env-dependencies-policy:
+    policy-url: ''
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
index 40f7f665d9e9..3bea512b31e6 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,34 +1,3 @@
 # Security Policy
-The Kyverno community has adopted this security disclosures and response policy to ensure we responsibly handle critical issues.
 
-## Security bulletins
-For information regarding the security of this project please join our [slack channel](https://slack.k8s.io/#kyverno).
-
-## Reporting a Vulnerability
-### When you should?
-- You think you discovered a potential security vulnerability in Kyverno.
-- You are unsure how a vulnerability affects Kyverno.
-- You think you discovered a vulnerability in another project that Kyverno depends on. For projects with their own vulnerability reporting and disclosure process, please report it directly there.
-
-### When you should not?
-- You need help tuning Kyverno components for security - please discuss this is in the Kyverno [slack channel](https://slack.k8s.io/#kyverno).
-- You need help applying security-related updates.
-- Your issue is not security-related.
-
-### Please use the below process to report a vulnerability to the project:
-1. Email the **Kyverno security group at kyverno-security@googlegroups.com**
-    * Emails should contain:
-        * description of the problem
-        * precise and detailed steps (include screenshots) that created the problem
-        * the affected version(s)
-        * any possible mitigations, if known
-2. The project security team will send an initial response to the disclosure in 3-5 days. Once the vulnerability and fix are confirmed, the team will plan to release the fix in 7 to 28 days based on the severity and complexity.
-3. You may be contacted by a project maintainer to further discuss the reported item. Please bear with us as we seek to understand the breadth and scope of the reported problem, recreate it, and confirm if there is a vulnerability present.
-
-## Supported Versions
-Kyverno versions follow [Semantic Versioning](https://semver.org/) terminology and are expressed as x.y.z:
-- where x is the major version
-- y is the minor version
-- and z is the patch version
-
-Security fixes, may be backported to the three most recent minor releases, depending on severity and feasibility. Patch releases are cut from those branches periodically, plus additional urgent releases, when required.
\ No newline at end of file
+[Kyverno and its sub-projects](https://github.com/kyverno#projects) follow the security practices published and maintained at https://github.com/kyverno/community/blob/main/SECURITY.md.
diff --git a/api/kyverno/any.go b/api/kyverno/any.go
new file mode 100644
index 000000000000..1d1b12474b63
--- /dev/null
+++ b/api/kyverno/any.go
@@ -0,0 +1,61 @@
+package kyverno
+
+import (
+	"encoding/json"
+
+	"github.com/jinzhu/copier"
+)
+
+type Value any
+
+// Any can be any type.
+// +k8s:deepcopy-gen=false
+type Any struct {
+	// Value contains the value of the Any object.
+	// +optional
+	Value `json:"-"`
+}
+
+func ToAny(in any) *Any {
+	var new *Any
+	if in != nil {
+		new = &Any{in}
+	}
+	return new
+}
+
+func FromAny(in *Any) any {
+	if in == nil {
+		return nil
+	}
+	return in.Value
+}
+
+func (in *Any) DeepCopyInto(out *Any) {
+	if err := copier.Copy(out, in); err != nil {
+		panic("deep copy failed")
+	}
+}
+
+func (in *Any) DeepCopy() *Any {
+	if in == nil {
+		return nil
+	}
+	out := new(Any)
+	in.DeepCopyInto(out)
+	return out
+}
+
+func (a *Any) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.Value)
+}
+
+func (a *Any) UnmarshalJSON(data []byte) error {
+	var v any
+	err := json.Unmarshal(data, &v)
+	if err != nil {
+		return err
+	}
+	a.Value = v
+	return nil
+}
diff --git a/api/kyverno/constants.go b/api/kyverno/constants.go
new file mode 100644
index 000000000000..8eeb1ffbb8db
--- /dev/null
+++ b/api/kyverno/constants.go
@@ -0,0 +1,21 @@
+package kyverno
+
+const (
+	// Well known labels
+	LabelAppComponent     = "app.kubernetes.io/component"
+	LabelAppManagedBy     = "app.kubernetes.io/managed-by"
+	LabelCacheEnabled     = "cache.kyverno.io/enabled"
+	LabelCertManagedBy    = "cert.kyverno.io/managed-by"
+	LabelCleanupTtl       = "cleanup.kyverno.io/ttl"
+	LabelWebhookManagedBy = "webhook.kyverno.io/managed-by"
+	// Well known annotations
+	AnnotationAutogenControllers = "pod-policies.kyverno.io/autogen-controllers"
+	AnnotationImageVerify        = "kyverno.io/verify-images"
+	AnnotationPolicyCategory     = "policies.kyverno.io/category"
+	AnnotationPolicyScored       = "policies.kyverno.io/scored"
+	AnnotationPolicySeverity     = "policies.kyverno.io/severity"
+	// Well known values
+	ValueKyvernoApp        = "kyverno"
+	ValueTtlDateTimeLayout = "2006-01-02T150405Z"
+	ValueTtlDateLayout     = "2006-01-02"
+)
diff --git a/api/kyverno/register.go b/api/kyverno/register.go
deleted file mode 100755
index 0025c5debc14..000000000000
--- a/api/kyverno/register.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package kyverno
-
-const (
-	// GroupName must be the same as specified in Policy CRD
-	GroupName = "kyverno.io"
-)
diff --git a/api/kyverno/v1/clusterpolicy_test.go b/api/kyverno/v1/clusterpolicy_test.go
index 11943d9a997b..1d49232112c4 100644
--- a/api/kyverno/v1/clusterpolicy_test.go
+++ b/api/kyverno/v1/clusterpolicy_test.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"testing"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	"gotest.tools/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -24,7 +25,7 @@ func Test_ClusterPolicy_Name(t *testing.T) {
 }
 
 func Test_ClusterPolicy_IsNamespaced(t *testing.T) {
-	namespaced := ClusterPolicy{
+	namespaced := Policy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
 			Namespace: "abcd",
@@ -44,7 +45,7 @@ func Test_ClusterPolicy_Autogen_All(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "policy",
 			Annotations: map[string]string{
-				PodControllersAnnotation: "all",
+				kyverno.AnnotationAutogenControllers: "all",
 			},
 		},
 	}
@@ -52,3 +53,37 @@ func Test_ClusterPolicy_Autogen_All(t *testing.T) {
 	assert.Equal(t, len(errs), 1)
 	assert.Equal(t, errs[0].Error(), "metadata.annotations: Forbidden: Autogen annotation does not support 'all' anymore, remove the annotation or set it to a valid value")
 }
+
+func Test_ClusterPolicy_HasAutoGenAnnotation(t *testing.T) {
+	tests := []struct {
+		name        string
+		annotations map[string]string
+		expected    bool
+	}{
+		{
+			name:        "Policy with AutoGen annotation (true)",
+			annotations: map[string]string{kyverno.AnnotationAutogenControllers: "pod-policies.kyverno.io/autogen-controllers"},
+			expected:    true,
+		},
+		{
+			name:        "Policy with AutoGen annotation (false)",
+			annotations: map[string]string{kyverno.AnnotationAutogenControllers: "none"},
+			expected:    false,
+		},
+		{
+			name:        "Policy without AutoGen annotation",
+			annotations: map[string]string{},
+			expected:    false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			policy := &ClusterPolicy{ObjectMeta: metav1.ObjectMeta{Annotations: tc.annotations}}
+			result := policy.HasAutoGenAnnotation()
+			if result != tc.expected {
+				t.Errorf("Expected HasAutoGenAnnotation for policy %s to be %t, but got %t", tc.name, tc.expected, result)
+			}
+		})
+	}
+}
diff --git a/api/kyverno/v1/clusterpolicy_types.go b/api/kyverno/v1/clusterpolicy_types.go
index 97f7ef57724a..f7088bfd56eb 100644
--- a/api/kyverno/v1/clusterpolicy_types.go
+++ b/api/kyverno/v1/clusterpolicy_types.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"strings"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -14,15 +15,16 @@ import (
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno
-// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
-// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
-// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
-// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
-// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
-// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
-// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
+// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
+// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
+// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
 // +kubebuilder:storageversion
 
 // ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
@@ -41,7 +43,7 @@ type ClusterPolicy struct {
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *ClusterPolicy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
-	val, ok := annotations[PodControllersAnnotation]
+	val, ok := annotations[kyverno.AnnotationAutogenControllers]
 	if ok && strings.ToLower(val) != "none" {
 		return true
 	}
@@ -78,6 +80,11 @@ func (p *ClusterPolicy) HasVerifyImages() bool {
 	return p.Spec.HasVerifyImages()
 }
 
+// AdmissionProcessingEnabled checks if admission is set to true
+func (p *ClusterPolicy) AdmissionProcessingEnabled() bool {
+	return p.Spec.AdmissionProcessingEnabled()
+}
+
 // BackgroundProcessingEnabled checks if background is set to true
 func (p *ClusterPolicy) BackgroundProcessingEnabled() bool {
 	return p.Spec.BackgroundProcessingEnabled()
@@ -95,7 +102,7 @@ func (p *ClusterPolicy) GetStatus() *PolicyStatus {
 
 // IsNamespaced indicates if the policy is namespace scoped
 func (p *ClusterPolicy) IsNamespaced() bool {
-	return p.GetNamespace() != ""
+	return false
 }
 
 // IsReady indicates if the policy is ready to serve the admission request
@@ -103,22 +110,18 @@ func (p *ClusterPolicy) IsReady() bool {
 	return p.Status.IsReady()
 }
 
-func (p *ClusterPolicy) ValidateSchema() bool {
-	return p.Spec.ValidateSchema()
-}
-
 // Validate implements programmatic validation
 // namespaced means that the policy is bound to a namespace and therefore
 // should not filter/generate cluster wide resources.
 func (p *ClusterPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, ValidateAutogenAnnotation(field.NewPath("metadata").Child("annotations"), p.GetAnnotations())...)
 	errs = append(errs, ValidatePolicyName(field.NewPath("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.Namespace, clusterResources)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.GetNamespace(), clusterResources)...)
 	return errs
 }
 
 func (p *ClusterPolicy) GetKind() string {
-	return p.Kind
+	return "ClusterPolicy"
 }
 
 func (p *ClusterPolicy) CreateDeepCopy() PolicyInterface {
diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go
index ef797d666d1c..209245e9a414 100644
--- a/api/kyverno/v1/common_types.go
+++ b/api/kyverno/v1/common_types.go
@@ -2,15 +2,27 @@ package v1
 
 import (
 	"encoding/json"
+	"fmt"
 
+	kjson "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
+	"github.com/kyverno/kyverno/api/kyverno"
+	"github.com/kyverno/kyverno/pkg/engine/variables/regex"
+	"github.com/kyverno/kyverno/pkg/pss/utils"
 	"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
+	admissionv1 "k8s.io/api/admission/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	"k8s.io/api/admissionregistration/v1alpha1"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/pod-security-admission/api"
 )
 
+// AssertionTree defines a kyverno-json assertion tree.
+type AssertionTree = kjson.Any
+
 // FailurePolicyType specifies a failure policy that defines how unrecognized errors from the admission endpoint are handled.
 // +kubebuilder:validation:Enum=Ignore;Fail
 type FailurePolicyType string
@@ -27,12 +39,43 @@ const (
 type ApplyRulesType string
 
 const (
-	// AllMatchingRules applies all rules in a policy that match.
+	// ApplyAll applies all rules in a policy that match.
 	ApplyAll ApplyRulesType = "All"
-	// FirstMatchingRule applies only the first matching rule in the policy.
+	// ApplyOne applies only the first matching rule in the policy.
 	ApplyOne ApplyRulesType = "One"
 )
 
+// ForeachOrder specifies the iteration order in foreach statements.
+// +kubebuilder:validation:Enum=Ascending;Descending
+type ForeachOrder string
+
+const (
+	// Ascending means iterating from first to last element.
+	Ascending ForeachOrder = "Ascending"
+	// Descending means iterating from last to first element.
+	Descending ForeachOrder = "Descending"
+)
+
+// WebhookConfiguration specifies the configuration for Kubernetes admission webhookconfiguration.
+type WebhookConfiguration struct {
+	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+	// Rules within the same policy share the same failure behavior.
+	// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+	// Allowed values are Ignore or Fail. Defaults to Fail.
+	// +optional
+	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
+
+	// TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty" yaml:"timeoutSeconds,omitempty"`
+
+	// MatchCondition configures admission webhook matchConditions.
+	// Requires Kubernetes 1.27 or later.
+	// +optional
+	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" yaml:"matchConditions,omitempty"`
+}
+
 // AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
 // AnyConditions get fulfilled when at least one of its sub-conditions passes.
 // AllConditions get fulfilled only when all of its sub-conditions pass.
@@ -63,7 +106,7 @@ type ContextEntry struct {
 
 	// APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
 	// The data returned is stored in the context with the name for the context entry.
-	APICall *APICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`
+	APICall *ContextAPICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"`
 
 	// ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
 	// details.
@@ -71,13 +114,19 @@ type ContextEntry struct {
 
 	// Variable defines an arbitrary JMESPath context variable that can be defined inline.
 	Variable *Variable `json:"variable,omitempty" yaml:"variable,omitempty"`
+
+	// GlobalContextEntryReference is a reference to a cached global context entry.
+	// +kubebuilder:validation:Required
+	GlobalReference *GlobalContextEntryReference `json:"globalReference,omitempty" yaml:"globalReference,omitempty"`
 }
 
 // Variable defines an arbitrary JMESPath context variable that can be defined inline.
 type Variable struct {
 	// Value is any arbitrary JSON object representable in YAML or JSON form.
 	// +optional
-	Value *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Value *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"`
 
 	// JMESPath is an optional JMESPath Expression that can be used to
 	// transform the variable.
@@ -87,7 +136,25 @@ type Variable struct {
 	// Default is an optional arbitrary JSON object that the variable may take if the JMESPath
 	// expression evaluates to nil
 	// +optional
-	Default *apiextv1.JSON `json:"default,omitempty" yaml:"default,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	Default *kyverno.Any `json:"default,omitempty" yaml:"default,omitempty"`
+}
+
+func (v *Variable) GetValue() any {
+	return kyverno.FromAny(v.Value)
+}
+
+func (v *Variable) SetValue(in any) {
+	v.Value = kyverno.ToAny(in)
+}
+
+func (v *Variable) GetDefault() any {
+	return kyverno.FromAny(v.Default)
+}
+
+func (v *Variable) SetDefault(in any) {
+	v.Default = kyverno.ToAny(in)
 }
 
 // ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
@@ -102,6 +169,10 @@ type ImageRegistry struct {
 	// the image reference.
 	// +optional
 	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
 }
 
 // ConfigMapReference refers to a ConfigMap
@@ -114,15 +185,47 @@ type ConfigMapReference struct {
 }
 
 type APICall struct {
-	// URLPath is the URL path to be used in the HTTP GET request to the
+	// URLPath is the URL path to be used in the HTTP GET or POST request to the
 	// Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
 	// The format required is the same format used by the `kubectl get --raw` command.
+	// See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+	// for details.
+	// It's mutually exclusive with the Service field.
 	// +kubebuilder:validation:Optional
 	URLPath string `json:"urlPath" yaml:"urlPath"`
 
-	// Service is an API call to a JSON web service
+	// Method is the HTTP request type (GET or POST). Defaults to GET.
+	// +kubebuilder:default=GET
+	Method Method `json:"method,omitempty" yaml:"method,omitempty"`
+
+	// The data object specifies the POST data sent to the server.
+	// Only applicable when the method field is set to POST.
+	// +kubebuilder:validation:Optional
+	Data []RequestData `json:"data,omitempty" yaml:"data,omitempty"`
+
+	// Service is an API call to a JSON web service.
+	// This is used for non-Kubernetes API server calls.
+	// It's mutually exclusive with the URLPath field.
 	// +kubebuilder:validation:Optional
 	Service *ServiceCall `json:"service,omitempty" yaml:"service,omitempty"`
+}
+
+type ContextAPICall struct {
+	APICall `json:",inline" yaml:",inline"`
+
+	// JMESPath is an optional JSON Match Expression that can be used to
+	// transform the JSON response returned from the server. For example
+	// a JMESPath of "items | length(@)" applied to the API server response
+	// for the URLPath "/apis/apps/v1/deployments" will return the total count
+	// of deployments across all namespaces.
+	// +kubebuilder:validation:Optional
+	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
+}
+
+type GlobalContextEntryReference struct {
+	// Name of the global context entry
+	// +kubebuilder:validation:Required
+	Name string `json:"name,omitempty" yaml:"name,omitempty"`
 
 	// JMESPath is an optional JSON Match Expression that can be used to
 	// transform the JSON response returned from the server. For example
@@ -134,22 +237,14 @@ type APICall struct {
 }
 
 type ServiceCall struct {
-	// URL is the JSON web service URL.
-	// The typical format is `https://{service}.{namespace}:{port}/{path}`.
-	URL string `json:"urlPath" yaml:"urlPath"`
+	// URL is the JSON web service URL. A typical form is
+	// `https://{service}.{namespace}:{port}/{path}`.
+	URL string `json:"url" yaml:"url"`
 
 	// CABundle is a PEM encoded CA bundle which will be used to validate
 	// the server certificate.
 	// +kubebuilder:validation:Optional
 	CABundle string `json:"caBundle" yaml:"caBundle"`
-
-	// Method is the HTTP request type (GET or POST).
-	// +kubebuilder:default=GET
-	Method Method `json:"requestType" yaml:"requestType"`
-
-	// Data specifies the POST data sent to the server.
-	// +kubebuilder:validation:Optional
-	Data []RequestData `json:"data" yaml:"data"`
 }
 
 // Method is a HTTP request type.
@@ -162,7 +257,7 @@ type RequestData struct {
 	Key string `json:"key" yaml:"key"`
 
 	// Value is the data value
-	Value *apiextensionsv1.JSON `json:"value" yaml:"value"`
+	Value *apiextv1.JSON `json:"value" yaml:"value"`
 }
 
 // Condition defines variable-based conditional criteria for rule execution.
@@ -180,6 +275,9 @@ type Condition struct {
 	// or can be variables declared using JMESPath.
 	// +optional
 	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
+
+	// Message is an optional display message
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
 }
 
 func (c *Condition) GetKey() apiextensions.JSON {
@@ -262,9 +360,13 @@ func (r ResourceFilter) IsEmpty() bool {
 
 // Mutation defines how resource are modified.
 type Mutation struct {
+	// MutateExistingOnPolicyUpdate controls if the mutateExisting rule will be applied on policy events.
+	// +optional
+	MutateExistingOnPolicyUpdate *bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
+
 	// Targets defines the target resources to be mutated.
 	// +optional
-	Targets []ResourceSpec `json:"targets,omitempty" yaml:"targets,omitempty"`
+	Targets []TargetResourceSpec `json:"targets,omitempty" yaml:"targets,omitempty"`
 
 	// PatchStrategicMerge is a strategic merge patch used to modify resources.
 	// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
@@ -290,12 +392,17 @@ func (m *Mutation) SetPatchStrategicMerge(in apiextensions.JSON) {
 	m.RawPatchStrategicMerge = ToJSON(in)
 }
 
-// ForEach applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
+// ForEachMutation applies mutation rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
 type ForEachMutation struct {
 	// List specifies a JMESPath expression that results in one or more elements
 	// to which the validation logic is applied.
 	List string `json:"list,omitempty" yaml:"list,omitempty"`
 
+	// Order defines the iteration order on the list.
+	// Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+	// +optional
+	Order *ForeachOrder `json:"order,omitempty" yaml:"order,omitempty"`
+
 	// Context defines variables and data sources that can be used during rule execution.
 	// +optional
 	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
@@ -311,7 +418,9 @@ type ForEachMutation struct {
 	// See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
 	// and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
 	// +optional
-	RawPatchStrategicMerge *apiextv1.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawPatchStrategicMerge *kyverno.Any `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"`
 
 	// PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
 	// See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
@@ -320,19 +429,41 @@ type ForEachMutation struct {
 
 	// Foreach declares a nested foreach iterator
 	// +optional
-	ForEachMutation *apiextv1.JSON `json:"foreach,omitempty" yaml:"foreach,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	ForEachMutation *ForEachMutationWrapper `json:"foreach,omitempty" yaml:"foreach,omitempty"`
 }
 
-func (m *ForEachMutation) GetPatchStrategicMerge() apiextensions.JSON {
-	return FromJSON(m.RawPatchStrategicMerge)
+func (m *ForEachMutation) GetForEachMutation() []ForEachMutation {
+	if m.ForEachMutation == nil {
+		return nil
+	}
+	return m.ForEachMutation.Items
 }
 
-func (m *ForEachMutation) SetPatchStrategicMerge(in apiextensions.JSON) {
-	m.RawPatchStrategicMerge = ToJSON(in)
+func (m *ForEachMutation) GetPatchStrategicMerge() any {
+	return kyverno.FromAny(m.RawPatchStrategicMerge)
+}
+
+func (m *ForEachMutation) SetPatchStrategicMerge(in any) {
+	m.RawPatchStrategicMerge = kyverno.ToAny(in)
 }
 
 // Validation defines checks to be performed on matching resources.
 type Validation struct {
+	// ValidationFailureAction defines if a validation policy rule violation should block
+	// the admission review request (Enforce), or allow (Audit) the admission review request
+	// and report an error in a policy report. Optional.
+	// Allowed values are Audit or Enforce.
+	// +optional
+	// +kubebuilder:validation:Enum=Audit;Enforce
+	ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
+
+	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+	// +optional
+	ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
+
 	// Message specifies a custom message to be displayed on failure.
 	// +optional
 	Message string `json:"message,omitempty" yaml:"message,omitempty"`
@@ -362,6 +493,14 @@ type Validation struct {
 	// by specifying exclusions for Pod Security Standards controls.
 	// +optional
 	PodSecurity *PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
+
+	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+	// +optional
+	CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
+
+	// Assert defines a kyverno-json assertion tree.
+	// +optional
+	Assert AssertionTree `json:"assert"`
 }
 
 // PodSecurity applies exemptions for Kubernetes Pod Security admission
@@ -373,8 +512,8 @@ type PodSecurity struct {
 	Level api.Level `json:"level,omitempty" yaml:"level,omitempty"`
 
 	// Version defines the Pod Security Standard versions that Kubernetes supports.
-	// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, latest. Defaults to latest.
-	// +kubebuilder:validation:Enum=v1.19;v1.20;v1.21;v1.22;v1.23;v1.24;v1.25;latest
+	// Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+	// +kubebuilder:validation:Enum=v1.19;v1.20;v1.21;v1.22;v1.23;v1.24;v1.25;v1.26;v1.27;v1.28;v1.29;latest
 	// +optional
 	Version string `json:"version,omitempty" yaml:"version,omitempty"`
 
@@ -395,6 +534,73 @@ type PodSecurityStandard struct {
 	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
 	// +optional
 	Images []string `json:"images,omitempty" yaml:"images,omitempty"`
+
+	// RestrictedField selects the field for the given Pod Security Standard control.
+	// When not set, all restricted fields for the control are selected.
+	// +optional
+	RestrictedField string `json:"restrictedField,omitempty" yaml:"restrictedField,omitempty"`
+
+	// Values defines the allowed values that can be excluded.
+	// +optional
+	Values []string `json:"values,omitempty" yaml:"values,omitempty"`
+}
+
+func (pss *PodSecurityStandard) Validate(path *field.Path) (errs field.ErrorList) {
+	// container level control must specify images
+	if containsString(utils.PSS_container_level_control, pss.ControlName) {
+		if len(pss.Images) == 0 {
+			errs = append(errs, field.Invalid(path.Child("controlName"), pss.ControlName, "exclude.images must be specified for the container level control"))
+		}
+	} else if containsString(utils.PSS_pod_level_control, pss.ControlName) {
+		if len(pss.Images) != 0 {
+			errs = append(errs, field.Invalid(path.Child("controlName"), pss.ControlName, "exclude.images must not be specified for the pod level control"))
+		}
+	}
+
+	if pss.RestrictedField != "" && len(pss.Values) == 0 {
+		errs = append(errs, field.Forbidden(path.Child("values"), "values is required"))
+	}
+
+	if pss.RestrictedField == "" && len(pss.Values) != 0 {
+		errs = append(errs, field.Forbidden(path.Child("restrictedField"), "restrictedField is required"))
+	}
+	return errs
+}
+
+// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+type CEL struct {
+	// Expressions is a list of CELExpression types.
+	Expressions []v1alpha1.Validation `json:"expressions,omitempty" yaml:"expressions,omitempty"`
+
+	// ParamKind is a tuple of Group Kind and Version.
+	// +optional
+	ParamKind *v1alpha1.ParamKind `json:"paramKind,omitempty" yaml:"paramKind,omitempty"`
+
+	// ParamRef references a parameter resource.
+	// +optional
+	ParamRef *v1alpha1.ParamRef `json:"paramRef,omitempty" yaml:"paramRef,omitempty"`
+
+	// AuditAnnotations contains CEL expressions which are used to produce audit annotations for the audit event of the API request.
+	// +optional
+	AuditAnnotations []v1alpha1.AuditAnnotation `json:"auditAnnotations,omitempty" yaml:"auditAnnotations,omitempty"`
+
+	// Variables contain definitions of variables that can be used in composition of other expressions.
+	// Each variable is defined as a named CEL expression.
+	// The variables defined here will be available under `variables` in other expressions of the policy.
+	// +optional
+	Variables []v1alpha1.Variable `json:"variables,omitempty" yaml:"variables,omitempty"`
+}
+
+func (c *CEL) HasParam() bool {
+	return c.ParamKind != nil && c.ParamRef != nil
+}
+
+func (c *CEL) GetParamKind() v1alpha1.ParamKind {
+	return *c.ParamKind
+}
+
+func (c *CEL) GetParamRef() v1alpha1.ParamRef {
+	return *c.ParamRef
 }
 
 // DeserializeAnyPattern deserialize apiextensions.JSON to []interface{}
@@ -450,18 +656,27 @@ type Deny struct {
 	// of conditions (without `any` or `all` statements) is also supported for backwards compatibility
 	// but will be deprecated in the next major release.
 	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
-	RawAnyAllConditions *apiextv1.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyAllConditions *ConditionsWrapper `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }
 
-func (d *Deny) GetAnyAllConditions() apiextensions.JSON {
-	return FromJSON(d.RawAnyAllConditions)
+func (d *Deny) GetAnyAllConditions() any {
+	if d.RawAnyAllConditions == nil {
+		return nil
+	}
+	return d.RawAnyAllConditions.Conditions
 }
 
-func (d *Deny) SetAnyAllConditions(in apiextensions.JSON) {
-	d.RawAnyAllConditions = ToJSON(in)
+func (d *Deny) SetAnyAllConditions(in any) {
+	var new *ConditionsWrapper
+	if in != nil {
+		new = &ConditionsWrapper{in}
+	}
+	d.RawAnyAllConditions = new
 }
 
-// ForEach applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
+// ForEachValidation applies validate rules to a list of sub-elements by creating a context for each entry in the list and looping over it to apply the specified logic.
 type ForEachValidation struct {
 	// List specifies a JMESPath expression that results in one or more elements
 	// to which the validation logic is applied.
@@ -499,7 +714,16 @@ type ForEachValidation struct {
 
 	// Foreach declares a nested foreach iterator
 	// +optional
-	ForEachValidation *apiextv1.JSON `json:"foreach,omitempty" yaml:"foreach,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	ForEachValidation *ForEachValidationWrapper `json:"foreach,omitempty" yaml:"foreach,omitempty"`
+}
+
+func (v *ForEachValidation) GetForEachValidation() []ForEachValidation {
+	if v.ForEachValidation == nil {
+		return nil
+	}
+	return v.ForEachValidation.Items
 }
 
 func (v *ForEachValidation) GetPattern() apiextensions.JSON {
@@ -520,6 +744,11 @@ func (v *ForEachValidation) SetAnyPattern(in apiextensions.JSON) {
 
 // Generation defines how new resources should be created and managed.
 type Generation struct {
+	// GenerateExisting controls whether to trigger the rule in existing resources
+	// If is set to "true" the rule will be triggered and applied to existing matched resources.
+	// +optional
+	GenerateExisting *bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`
+
 	// ResourceSpec contains information to select the resource.
 	ResourceSpec `json:",omitempty" yaml:",omitempty"`
 
@@ -530,6 +759,13 @@ type Generation struct {
 	// +optional
 	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
 
+	// OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+	// them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+	// See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+	// Defaults to "false" if not specified.
+	// +optional
+	OrphanDownstreamOnPolicyDelete bool `json:"orphanDownstreamOnPolicyDelete,omitempty" yaml:"orphanDownstreamOnPolicyDelete,omitempty"`
+
 	// Data provides the resource declaration used to populate each generated resource.
 	// At most one of Data or Clone must be specified. If neither are provided, the generated
 	// resource will be created with default data only.
@@ -560,6 +796,93 @@ type CloneList struct {
 	Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"`
 }
 
+func (g *Generation) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if namespaced {
+		if err := g.validateNamespacedTargetsScope(clusterResources, policyNamespace); err != nil {
+			errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), fmt.Sprintf("target resource scope mismatched: %v ", err)))
+		}
+	}
+
+	if g.GetKind() != "" {
+		if !clusterResources.Has(g.GetAPIVersion() + "/" + g.GetKind()) {
+			if g.GetNamespace() == "" {
+				errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), "target namespace must be set for a namespaced resource"))
+			}
+		} else {
+			if g.GetNamespace() != "" {
+				errs = append(errs, field.Forbidden(path.Child("generate").Child("namespace"), "target namespace must not be set for a cluster-wide resource"))
+			}
+		}
+	}
+
+	generateType, _, _ := g.GetTypeAndSyncAndOrphanDownstream()
+	if generateType == Data {
+		return errs
+	}
+
+	newGeneration := Generation{
+		ResourceSpec: ResourceSpec{
+			Kind:       g.ResourceSpec.GetKind(),
+			APIVersion: g.ResourceSpec.GetAPIVersion(),
+		},
+		Clone:     g.Clone,
+		CloneList: g.CloneList,
+	}
+
+	if err := regex.ObjectHasVariables(newGeneration); err != nil {
+		errs = append(errs, field.Forbidden(path.Child("generate").Child("clone/cloneList"), "Generation Rule Clone/CloneList should not have variables"))
+	}
+
+	if len(g.CloneList.Kinds) == 0 {
+		if g.Kind == "" {
+			errs = append(errs, field.Forbidden(path.Child("generate").Child("kind"), "kind can not be empty"))
+		}
+		if g.Name == "" {
+			errs = append(errs, field.Forbidden(path.Child("generate").Child("name"), "name can not be empty"))
+		}
+	}
+
+	errs = append(errs, g.ValidateCloneList(path.Child("generate"), namespaced, policyNamespace, clusterResources)...)
+	return errs
+}
+
+func (g *Generation) ValidateCloneList(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if len(g.CloneList.Kinds) == 0 {
+		return nil
+	}
+
+	if namespaced {
+		for _, kind := range g.CloneList.Kinds {
+			if clusterResources.Has(kind) {
+				errs = append(errs, field.Forbidden(path.Child("cloneList").Child("kinds"), fmt.Sprintf("the source in cloneList must be a namespaced resource: %v", kind)))
+			}
+			if g.CloneList.Namespace != policyNamespace {
+				errs = append(errs, field.Forbidden(path.Child("cloneList").Child("namespace"), fmt.Sprintf("a namespaced policy cannot clone resources from other namespace, expected: %v, received: %v", policyNamespace, g.CloneList.Namespace)))
+			}
+		}
+	}
+
+	clusterScope := clusterResources.Has(g.CloneList.Kinds[0])
+	for _, gvk := range g.CloneList.Kinds[1:] {
+		if clusterScope != clusterResources.Has(gvk) {
+			errs = append(errs, field.Forbidden(path.Child("cloneList").Child("kinds"), "mixed scope of target resources is forbidden"))
+			break
+		}
+		clusterScope = clusterScope && clusterResources.Has(gvk)
+	}
+
+	if !clusterScope {
+		if g.CloneList.Namespace == "" {
+			errs = append(errs, field.Forbidden(path.Child("cloneList").Child("namespace"), "namespace is required for namespaced target resources"))
+		}
+	} else if clusterScope && !namespaced {
+		if g.CloneList.Namespace != "" {
+			errs = append(errs, field.Forbidden(path.Child("cloneList").Child("namespace"), "namespace is forbidden for cluster-wide target resources"))
+		}
+	}
+	return errs
+}
+
 func (g *Generation) GetData() apiextensions.JSON {
 	return FromJSON(g.RawData)
 }
@@ -568,6 +891,38 @@ func (g *Generation) SetData(in apiextensions.JSON) {
 	g.RawData = ToJSON(in)
 }
 
+func (g *Generation) validateNamespacedTargetsScope(clusterResources sets.Set[string], policyNamespace string) error {
+	target := g.ResourceSpec
+	if clusterResources.Has(target.GetAPIVersion() + "/" + target.GetKind()) {
+		return fmt.Errorf("the target must be a namespaced resource: %v/%v", target.GetAPIVersion(), target.GetKind())
+	}
+
+	if g.GetNamespace() != policyNamespace {
+		return fmt.Errorf("a namespaced policy cannot generate resources in other namespaces, expected: %v, received: %v", policyNamespace, g.GetNamespace())
+	}
+
+	if g.Clone.Name != "" {
+		if g.Clone.Namespace != policyNamespace {
+			return fmt.Errorf("a namespaced policy cannot clone resources from other namespaces, expected: %v, received: %v", policyNamespace, g.Clone.Namespace)
+		}
+	}
+	return nil
+}
+
+type GenerateType string
+
+const (
+	Data  GenerateType = "Data"
+	Clone GenerateType = "Clone"
+)
+
+func (g *Generation) GetTypeAndSyncAndOrphanDownstream() (GenerateType, bool, bool) {
+	if g.RawData != nil {
+		return Data, g.Synchronize, g.OrphanDownstreamOnPolicyDelete
+	}
+	return Clone, g.Synchronize, g.OrphanDownstreamOnPolicyDelete
+}
+
 // CloneFrom provides the location of the source resource used to generate target resources.
 // The resource kind is derived from the match criteria.
 type CloneFrom struct {
@@ -613,3 +968,14 @@ type DryRunOption struct {
 type IgnoreFieldList []ObjectFieldBinding
 
 type ObjectFieldBinding k8smanifest.ObjectFieldBinding
+
+// AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action.
+// +kubebuilder:validation:Enum=CREATE;CONNECT;UPDATE;DELETE
+type AdmissionOperation admissionv1.Operation
+
+const (
+	Create  AdmissionOperation = AdmissionOperation(admissionv1.Create)
+	Update  AdmissionOperation = AdmissionOperation(admissionv1.Update)
+	Delete  AdmissionOperation = AdmissionOperation(admissionv1.Delete)
+	Connect AdmissionOperation = AdmissionOperation(admissionv1.Connect)
+)
diff --git a/api/kyverno/v1/constants.go b/api/kyverno/v1/constants.go
deleted file mode 100644
index 564d93afb0cf..000000000000
--- a/api/kyverno/v1/constants.go
+++ /dev/null
@@ -1,13 +0,0 @@
-package v1
-
-const (
-	// PodControllersAnnotation defines the annotation key for Pod-Controllers
-	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
-	// LabelAppManagedBy defines the label key for managed-by label
-	LabelAppManagedBy        = "app.kubernetes.io/managed-by"
-	AnnotationPolicyCategory = "policies.kyverno.io/category"
-	AnnotationPolicySeverity = "policies.kyverno.io/severity"
-	AnnotationPolicyScored   = "policies.kyverno.io/scored"
-	// ValueKyvernoApp defines the kyverno application value
-	ValueKyvernoApp = "kyverno"
-)
diff --git a/api/kyverno/v1/fuzz_test.go b/api/kyverno/v1/fuzz_test.go
new file mode 100644
index 000000000000..7ff5634cc81e
--- /dev/null
+++ b/api/kyverno/v1/fuzz_test.go
@@ -0,0 +1,56 @@
+package v1
+
+import (
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func FuzzV1PolicyValidate(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		p := Policy{}
+		ff.GenerateStruct(&p)
+		_ = p.Validate(nil)
+	})
+}
+
+var (
+	path = field.NewPath("dummy")
+)
+
+func FuzzV1ImageVerification(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		iv := ImageVerification{}
+		ff.GenerateStruct(&iv)
+		iv.Validate(false, path)
+	})
+}
+
+func FuzzV1MatchResources(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		mr := &MatchResources{}
+		ff.GenerateStruct(&mr)
+		mr.Validate(path, false, nil)
+	})
+}
+
+func FuzzV1ClusterPolicy(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		cp := &ClusterPolicy{}
+		ff.GenerateStruct(&cp)
+		cp.HasAutoGenAnnotation()
+		cp.HasMutateOrValidateOrGenerate()
+		cp.HasMutate()
+		cp.HasValidate()
+		cp.HasGenerate()
+		cp.HasVerifyImages()
+		cp.AdmissionProcessingEnabled()
+		cp.BackgroundProcessingEnabled()
+		cp.Validate(nil)
+	})
+}
diff --git a/api/kyverno/v1/generaterequest_types.go b/api/kyverno/v1/generaterequest_types.go
deleted file mode 100644
index e7be2f3a37e1..000000000000
--- a/api/kyverno/v1/generaterequest_types.go
+++ /dev/null
@@ -1,118 +0,0 @@
-package v1
-
-import (
-	admissionv1 "k8s.io/api/admission/v1"
-	authenticationv1 "k8s.io/api/authentication/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy"
-// +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind"
-// +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name"
-// +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace"
-// +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:resource:shortName=gr
-// +kubebuilder:storageversion
-
-// GenerateRequest is a request to process generate rule.
-type GenerateRequest struct {
-	metav1.TypeMeta   `json:",inline" yaml:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
-
-	// Spec is the information to identify the generate request.
-	Spec GenerateRequestSpec `json:"spec" yaml:"spec"`
-
-	// Status contains statistics related to generate request.
-	// +optional
-	Status GenerateRequestStatus `json:"status" yaml:"status"`
-}
-
-// GenerateRequestSpec stores the request specification.
-type GenerateRequestSpec struct {
-	// Specifies the name of the policy.
-	Policy string `json:"policy" yaml:"policy"`
-
-	// ResourceSpec is the information to identify the generate request.
-	Resource ResourceSpec `json:"resource" yaml:"resource"`
-
-	// Context ...
-	Context GenerateRequestContext `json:"context" yaml:"context"`
-}
-
-// GenerateRequestContext stores the context to be shared.
-type GenerateRequestContext struct {
-	// +optional
-	UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
-	// +optional
-	AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty" yaml:"admissionRequestInfo,omitempty"`
-}
-
-// AdmissionRequestInfoObject stores the admission request and operation details
-type AdmissionRequestInfoObject struct {
-	// +optional
-	AdmissionRequest string `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
-	// +optional
-	Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
-}
-
-// RequestInfo contains permission info carried in an admission request.
-type RequestInfo struct {
-	// Roles is a list of possible role send the request.
-	// +nullable
-	// +optional
-	Roles []string `json:"roles" yaml:"roles"`
-
-	// ClusterRoles is a list of possible clusterRoles send the request.
-	// +nullable
-	// +optional
-	ClusterRoles []string `json:"clusterRoles" yaml:"clusterRoles"`
-
-	// UserInfo is the userInfo carried in the admission request.
-	// +optional
-	AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
-}
-
-// GenerateRequestStatus stores the status of generated request.
-type GenerateRequestStatus struct {
-	// State represents state of the generate request.
-	State GenerateRequestState `json:"state" yaml:"state"`
-
-	// Specifies request status message.
-	// +optional
-	Message string `json:"message,omitempty" yaml:"message,omitempty"`
-
-	// This will track the resources that are generated by the generate Policy.
-	// Will be used during clean up resources.
-	GeneratedResources []ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
-}
-
-// GenerateRequestState defines the state of request.
-type GenerateRequestState string
-
-const (
-	// Pending - the Request is yet to be processed or resource has not been created.
-	Pending GenerateRequestState = "Pending"
-
-	// Failed - the Generate Request Controller failed to process the rules.
-	Failed GenerateRequestState = "Failed"
-
-	// Completed - the Generate Request Controller created resources defined in the policy.
-	Completed GenerateRequestState = "Completed"
-
-	// Skip - the Generate Request Controller skips to generate the resource.
-	Skip GenerateRequestState = "Skip"
-)
-
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// GenerateRequestList stores the list of generate requests.
-type GenerateRequestList struct {
-	metav1.TypeMeta `json:",inline" yaml:",inline"`
-	metav1.ListMeta `json:"metadata" yaml:"metadata"`
-	Items           []GenerateRequest `json:"items" yaml:"items"`
-}
diff --git a/api/kyverno/v1/image_verification_test.go b/api/kyverno/v1/image_verification_test.go
index 67883bd92e72..1f663a872903 100644
--- a/api/kyverno/v1/image_verification_test.go
+++ b/api/kyverno/v1/image_verification_test.go
@@ -126,7 +126,24 @@ func Test_ImageVerification(t *testing.T) {
 			},
 		},
 		{
-			name: "valid static key attestor",
+			name: "static key invalid signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha1"},
+					}}},
+				},
+			},
+			errors: func(i *ImageVerification) field.ErrorList {
+				return field.ErrorList{
+					field.Invalid(path.Child("attestors").Index(0).Child("entries").Index(0).Child("keys"),
+						i.Attestors[0].Entries[0].Keys, "Invalid signature algorithm provided"),
+				}
+			},
+		},
+		{
+			name: "valid static key default signature algorithm attestor",
 			subject: ImageVerification{
 				ImageReferences: []string{"*"},
 				Attestors: []AttestorSet{
@@ -136,13 +153,46 @@ func Test_ImageVerification(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "valid static key sha224 signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha224"},
+					}}},
+				},
+			},
+		},
+		{
+			name: "valid static key sah256 signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha256"},
+					}}},
+				},
+			},
+		},
+		{
+			name: "valid static key sha384 signature algorithm attestor",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestors: []AttestorSet{
+					{Entries: []Attestor{{
+						Keys: &StaticKeyAttestor{PublicKeys: "bla", SignatureAlgorithm: "sha384"},
+					}}},
+				},
+			},
+		},
 		{
 			name: "invalid keyless attestor",
 			subject: ImageVerification{
 				ImageReferences: []string{"*"},
 				Attestors: []AttestorSet{
 					{Entries: []Attestor{{
-						Keyless: &KeylessAttestor{Rekor: &CTLog{}, Issuer: "", Subject: ""},
+						Keyless: &KeylessAttestor{Rekor: &Rekor{}, Issuer: "", Subject: ""},
 					}}},
 				},
 			},
@@ -159,7 +209,7 @@ func Test_ImageVerification(t *testing.T) {
 				ImageReferences: []string{"*"},
 				Attestors: []AttestorSet{
 					{Entries: []Attestor{{
-						Keyless: &KeylessAttestor{Rekor: &CTLog{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
+						Keyless: &KeylessAttestor{Rekor: &Rekor{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
 					}}},
 				},
 			},
@@ -199,9 +249,116 @@ func Test_ImageVerification(t *testing.T) {
 		},
 	}
 
+	isAuditFailureAction := false
+	for _, test := range testCases {
+		subject := test.subject.Convert()
+		errs := subject.Validate(isAuditFailureAction, path)
+		var expectedErrs field.ErrorList
+		if test.errors != nil {
+			expectedErrs = test.errors(subject)
+		}
+
+		assert.Equal(t, len(errs), len(expectedErrs), fmt.Sprintf("test `%s` error count mismatch, errors %v", test.name, errs))
+		if len(errs) != 0 {
+			assert.DeepEqual(t, errs, expectedErrs)
+		}
+	}
+}
+
+func Test_Audit_VerifyImageRule(t *testing.T) {
+	path := field.NewPath("dummy")
+	testCases := []struct {
+		name    string
+		subject ImageVerification
+		errors  func(*ImageVerification) field.ErrorList
+	}{
+		{
+			name: "mutateDigest set to true for audit failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: true,
+			},
+			errors: func(i *ImageVerification) field.ErrorList {
+				return field.ErrorList{
+					field.Invalid(
+						path.Child("mutateDigest"),
+						i.MutateDigest,
+						"mutateDigest must be set to false for ‘Audit’ failure action"),
+				}
+			},
+		},
+		{
+			name: "mutateDigest set to false for audit failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: false,
+			},
+		},
+	}
+
+	isAuditFailureAction := true // indicates validateFailureAction set to Audit
+	for _, test := range testCases {
+		subject := test.subject.Convert()
+		errs := subject.Validate(isAuditFailureAction, path)
+		var expectedErrs field.ErrorList
+		if test.errors != nil {
+			expectedErrs = test.errors(subject)
+		}
+
+		assert.Equal(t, len(errs), len(expectedErrs), fmt.Sprintf("test `%s` error count mismatch, errors %v", test.name, errs))
+		if len(errs) != 0 {
+			assert.DeepEqual(t, errs, expectedErrs)
+		}
+	}
+}
+
+func Test_Enforce_VerifyImageRule(t *testing.T) {
+	path := field.NewPath("dummy")
+	testCases := []struct {
+		name    string
+		subject ImageVerification
+		errors  func(*ImageVerification) field.ErrorList
+	}{
+		{
+			name: "mutateDigest set to true for enforce failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: true,
+			},
+		},
+		{
+			name: "mutateDigest set to false for enforce failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: false,
+			},
+		},
+	}
+
+	isAuditFailureAction := false // indicates validateFailureAction set to Enforce
 	for _, test := range testCases {
 		subject := test.subject.Convert()
-		errs := subject.Validate(path)
+		errs := subject.Validate(isAuditFailureAction, path)
 		var expectedErrs field.ErrorList
 		if test.errors != nil {
 			expectedErrs = test.errors(subject)
diff --git a/api/kyverno/v1/image_verification_types.go b/api/kyverno/v1/image_verification_types.go
index 86a6fe2a3629..30925a772cd0 100644
--- a/api/kyverno/v1/image_verification_types.go
+++ b/api/kyverno/v1/image_verification_types.go
@@ -2,18 +2,54 @@ package v1
 
 import (
 	"encoding/json"
+	"fmt"
 
-	"github.com/pkg/errors"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
+// ImageVerificationType selects the type of verification algorithm
+// +kubebuilder:validation:Enum=Cosign;Notary
+// +kubebuilder:default=Cosign
+type ImageVerificationType string
+
+// ImageRegistryCredentialsProvidersType provides the list of credential providers required.
+// +kubebuilder:validation:Enum=default;amazon;azure;google;github
+type ImageRegistryCredentialsProvidersType string
+
+const (
+	Cosign ImageVerificationType = "Cosign"
+	Notary ImageVerificationType = "Notary"
+
+	DEFAULT ImageRegistryCredentialsProvidersType = "default"
+	AWS     ImageRegistryCredentialsProvidersType = "amazon"
+	ACR     ImageRegistryCredentialsProvidersType = "azure"
+	GCP     ImageRegistryCredentialsProvidersType = "google"
+	GHCR    ImageRegistryCredentialsProvidersType = "github"
+)
+
+var signatureAlgorithmMap = map[string]bool{
+	"":       true,
+	"sha224": true,
+	"sha256": true,
+	"sha384": true,
+	"sha512": true,
+}
+
 // ImageVerification validates that images that match the specified pattern
 // are signed with the supplied public key. Once the image is verified it is
 // mutated to include the SHA digest retrieved during the registration.
 type ImageVerification struct {
-	// Image is the image name consisting of the registry address, repository, image, and tag.
-	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+	// Allowed values are Audit or Enforce.
+	// +optional
+	// +kubebuilder:validation:Enum=Audit;Enforce
+	ValidationFailureAction *ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
+
+	// Type specifies the method of signature validation. The allowed options
+	// are Cosign and Notary. By default Cosign is used if a type is not specified.
+	// +kubebuilder:validation:Optional
+	Type ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
+
 	// Deprecated. Use ImageReferences instead.
 	// +kubebuilder:validation:Optional
 	Image string `json:"image,omitempty" yaml:"image,omitempty"`
@@ -25,23 +61,25 @@ type ImageVerification struct {
 	// +kubebuilder:validation:Optional
 	ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`
 
-	// Key is the PEM encoded public key that the image or attestation is signed with.
+	// SkipImageReferences is a list of matching image reference patterns that should be skipped.
+	// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+	// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+	// +kubebuilder:validation:Optional
+	SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`
+
 	// Deprecated. Use StaticKeyAttestor instead.
 	Key string `json:"key,omitempty" yaml:"key,omitempty"`
 
-	// Roots is the PEM encoded Root certificate chain used for keyless signing
 	// Deprecated. Use KeylessAttestor instead.
 	Roots string `json:"roots,omitempty" yaml:"roots,omitempty"`
 
-	// Subject is the identity used for keyless signing, for example an email address
 	// Deprecated. Use KeylessAttestor instead.
 	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
 
-	// Issuer is the certificate issuer used for keyless signing.
 	// Deprecated. Use KeylessAttestor instead.
 	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
 
-	// AdditionalExtensions are certificate-extensions used for keyless signing.
 	// Deprecated.
 	AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
 
@@ -54,9 +92,6 @@ type ImageVerification struct {
 	// OCI registry and decodes them into a list of Statement declarations.
 	Attestations []Attestation `json:"attestations,omitempty" yaml:"attestations,omitempty"`
 
-	// Annotations are used for image verification.
-	// Every specified key-value pair must exist and match in the verified payload.
-	// The payload may contain other key-value pairs.
 	// Deprecated. Use annotations per Attestor instead.
 	Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"`
 
@@ -65,6 +100,11 @@ type ImageVerification struct {
 	// The repository can also be overridden per Attestor or Attestation.
 	Repository string `json:"repository,omitempty" yaml:"repository,omitempty"`
 
+	// CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+	// Defaults to false.
+	// +optional
+	CosignOCI11 bool `json:"cosignOCI11,omitempty"`
+
 	// MutateDigest enables replacement of image tags with digests.
 	// Defaults to true.
 	// +kubebuilder:default=true
@@ -80,6 +120,15 @@ type ImageVerification struct {
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry.
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
+
+	// UseCache enables caching of image verify responses for this rule.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	UseCache bool `json:"useCache" yaml:"useCache"`
 }
 
 type AttestorSet struct {
@@ -96,12 +145,19 @@ type AttestorSet struct {
 	Entries []Attestor `json:"entries,omitempty" yaml:"entries,omitempty"`
 }
 
+func (as AttestorSet) RequiredCount() int {
+	if as.Count == nil || *as.Count == 0 {
+		return len(as.Entries)
+	}
+	return *as.Count
+}
+
 type Attestor struct {
-	// Keys specifies one or more public keys
+	// Keys specifies one or more public keys.
 	// +kubebuilder:validation:Optional
 	Keys *StaticKeyAttestor `json:"keys,omitempty" yaml:"keys,omitempty"`
 
-	// Certificates specifies one or more certificates
+	// Certificates specifies one or more certificates.
 	// +kubebuilder:validation:Optional
 	Certificates *CertificateAttestor `json:"certificates,omitempty" yaml:"certificates,omitempty"`
 
@@ -110,7 +166,7 @@ type Attestor struct {
 	// +kubebuilder:validation:Optional
 	Keyless *KeylessAttestor `json:"keyless,omitempty" yaml:"keyless,omitempty"`
 
-	// Attestor is a nested AttestorSet used to specify a more complex set of match authorities
+	// Attestor is a nested set of Attestor used to specify a more complex set of match authorities.
 	// +kubebuilder:validation:Optional
 	Attestor *apiextv1.JSON `json:"attestor,omitempty" yaml:"attestor,omitempty"`
 
@@ -135,7 +191,7 @@ type StaticKeyAttestor struct {
 	// (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
 	PublicKeys string `json:"publicKeys,omitempty" yaml:"publicKeys,omitempty"`
 
-	// Specify signature algorithm for public keys. Supported values are sha256 and sha512
+	// Specify signature algorithm for public keys. Supported values are sha224, sha256, sha384 and sha512.
 	// +kubebuilder:default=sha256
 	SignatureAlgorithm string `json:"signatureAlgorithm,omitempty" yaml:"signatureAlgorithm,omitempty"`
 
@@ -146,11 +202,15 @@ type StaticKeyAttestor struct {
 	// Reference to a Secret resource that contains a public key
 	Secret *SecretReference `json:"secret,omitempty" yaml:"secret,omitempty"`
 
-	// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
-	// Rekor is not checked. If an empty object is provided the public instance of
-	// Rekor (https://rekor.sigstore.dev) is used.
+	// Rekor provides configuration for the Rekor transparency log service. If an empty object
+	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
 	// +kubebuilder:validation:Optional
-	Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
+	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
+
+	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+	// +kubebuilder:validation:Optional
+	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
 }
 
 type SecretReference struct {
@@ -162,33 +222,41 @@ type SecretReference struct {
 }
 
 type CertificateAttestor struct {
-	// Certificate is an optional PEM encoded public certificate.
+	// Cert is an optional PEM-encoded public certificate.
 	// +kubebuilder:validation:Optional
 	Certificate string `json:"cert,omitempty" yaml:"cert,omitempty"`
 
-	// CertificateChain is an optional PEM encoded set of certificates used to verify
+	// CertChain is an optional PEM encoded set of certificates used to verify.
 	// +kubebuilder:validation:Optional
 	CertificateChain string `json:"certChain,omitempty" yaml:"certChain,omitempty"`
 
-	// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
-	// Rekor is not checked. If an empty object is provided the public instance of
-	// Rekor (https://rekor.sigstore.dev) is used.
+	// Rekor provides configuration for the Rekor transparency log service. If an empty object
+	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
 	// +kubebuilder:validation:Optional
-	Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
+	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
+
+	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+	// +kubebuilder:validation:Optional
+	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
 }
 
 type KeylessAttestor struct {
-	// Rekor provides configuration for the Rekor transparency log service. If the value is nil,
-	// Rekor is not checked and a root certificate chain is expected instead. If an empty object
+	// Rekor provides configuration for the Rekor transparency log service. If an empty object
 	// is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
 	// +kubebuilder:validation:Optional
-	Rekor *CTLog `json:"rekor,omitempty" yaml:"rekor,omitempty"`
+	Rekor *Rekor `json:"rekor,omitempty" yaml:"rekor,omitempty"`
+
+	// CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+	// Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+	// +kubebuilder:validation:Optional
+	CTLog *CTLog `json:"ctlog,omitempty" yaml:"ctlog,omitempty"`
 
 	// Issuer is the certificate issuer used for keyless signing.
 	// +kubebuilder:validation:Optional
 	Issuer string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
 
-	// Subject is the verified identity used for keyless signing, for example the email address
+	// Subject is the verified identity used for keyless signing, for example the email address.
 	// +kubebuilder:validation:Optional
 	Subject string `json:"subject,omitempty" yaml:"subject,omitempty"`
 
@@ -202,22 +270,52 @@ type KeylessAttestor struct {
 	AdditionalExtensions map[string]string `json:"additionalExtensions,omitempty" yaml:"additionalExtensions,omitempty"`
 }
 
-type CTLog struct {
-	// URL is the address of the transparency log. Defaults to the public log https://rekor.sigstore.dev.
-	// +kubebuilder:validation:Required
+type Rekor struct {
+	// URL is the address of the transparency log. Defaults to the public Rekor log instance https://rekor.sigstore.dev.
+	// +kubebuilder:validation:Optional
 	// +kubebuilder:Default:=https://rekor.sigstore.dev
 	URL string `json:"url" yaml:"url"`
+
+	// RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+	// If set, this will be used to validate transparency log signatures from a custom Rekor.
+	// +kubebuilder:validation:Optional
+	RekorPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
+
+	// IgnoreTlog skips transparency log verification.
+	// +kubebuilder:validation:Optional
+	IgnoreTlog bool `json:"ignoreTlog,omitempty" yaml:"ignoreTlog,omitempty"`
+}
+
+type CTLog struct {
+	// IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+	// timestamp. Default is false. Set to true if this was opted out during signing.
+	// +kubebuilder:validation:Optional
+	IgnoreSCT bool `json:"ignoreSCT,omitempty" yaml:"ignoreSCT,omitempty"`
+
+	// PubKey, if set, is used to validate SCTs against a custom source.
+	// +kubebuilder:validation:Optional
+	CTLogPubKey string `json:"pubkey,omitempty" yaml:"pubkey,omitempty"`
+
+	// TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+	// contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+	// may contain the leaf TSA certificate if not present in the timestamurce.
+	// +kubebuilder:validation:Optional
+	TSACertChain string `json:"tsaCertChain,omitempty" yaml:"tsaCertChain,omitempty"`
 }
 
 // Attestation are checks for signed in-toto Statements that are used to verify the image.
 // See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
 // OCI registry and decodes them into a list of Statements.
 type Attestation struct {
-	// PredicateType defines the type of Predicate contained within the Statement.
-	// +kubebuilder:validation:Required
+	// Deprecated in favour of 'Type', to be removed soon
+	// +kubebuilder:validation:Optional
 	PredicateType string `json:"predicateType" yaml:"predicateType"`
 
-	// Attestors specify the required attestors (i.e. authorities)
+	// Type defines the type of attestation contained within the Statement.
+	// +kubebuilder:validation:Optional
+	Type string `json:"type" yaml:"type"`
+
+	// Attestors specify the required attestors (i.e. authorities).
 	// +kubebuilder:validation:Optional
 	Attestors []AttestorSet `json:"attestors" yaml:"attestors"`
 
@@ -227,10 +325,38 @@ type Attestation struct {
 	Conditions []AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }
 
+type ImageRegistryCredentials struct {
+	// AllowInsecureRegistry allows insecure access to a registry.
+	// +kubebuilder:validation:Optional
+	AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty" yaml:"allowInsecureRegistry,omitempty"`
+
+	// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+	// It can be of one of these values: default,google,azure,amazon,github.
+	// +kubebuilder:validation:Optional
+	Providers []ImageRegistryCredentialsProvidersType `json:"providers,omitempty" yaml:"providers,omitempty"`
+
+	// Secrets specifies a list of secrets that are provided for credentials.
+	// Secrets must live in the Kyverno namespace.
+	// +kubebuilder:validation:Optional
+	Secrets []string `json:"secrets,omitempty" yaml:"secrets,omitempty"`
+}
+
+func (iv *ImageVerification) GetType() ImageVerificationType {
+	if iv.Type != "" {
+		return iv.Type
+	}
+
+	return Cosign
+}
+
 // Validate implements programmatic validation
-func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
+func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Path) (errs field.ErrorList) {
 	copy := iv.Convert()
 
+	if isAuditFailureAction && iv.MutateDigest {
+		errs = append(errs, field.Invalid(path.Child("mutateDigest"), iv.MutateDigest, "mutateDigest must be set to false for ‘Audit’ failure action"))
+	}
+
 	if len(copy.ImageReferences) == 0 {
 		errs = append(errs, field.Invalid(path, iv, "An image reference is required"))
 	}
@@ -247,6 +373,19 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
 		errs = append(errs, attestorErrors...)
 	}
 
+	if iv.Type == Notary {
+		for _, attestorSet := range iv.Attestors {
+			for _, attestor := range attestorSet.Entries {
+				if attestor.Keyless != nil {
+					errs = append(errs, field.Invalid(attestorsPath, iv, "Keyless field is not allowed for type notary"))
+				}
+				if attestor.Keys != nil {
+					errs = append(errs, field.Invalid(attestorsPath, iv, "Keys field is not allowed for type notary"))
+				}
+			}
+		}
+	}
+
 	return errs
 }
 
@@ -332,7 +471,7 @@ func (a *Attestor) Validate(path *field.Path) (errs field.ErrorList) {
 func AttestorSetUnmarshal(o *apiextv1.JSON) (*AttestorSet, error) {
 	var as AttestorSet
 	if err := json.Unmarshal(o.Raw, &as); err != nil {
-		return nil, errors.Wrapf(err, "failed to unmarshal attestor set %s", string(o.Raw))
+		return nil, fmt.Errorf("failed to unmarshal attestor set %s: %w", string(o.Raw), err)
 	}
 
 	return &as, nil
@@ -342,8 +481,10 @@ func (ska *StaticKeyAttestor) Validate(path *field.Path) (errs field.ErrorList)
 	if ska.PublicKeys == "" && ska.KMS == "" && ska.Secret == nil {
 		errs = append(errs, field.Invalid(path, ska, "A public key, kms key or secret is required"))
 	}
-	if ska.PublicKeys != "" && ska.SignatureAlgorithm != "" && ska.SignatureAlgorithm != "sha256" && ska.SignatureAlgorithm != "sha512" {
-		errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
+	if ska.PublicKeys != "" {
+		if _, ok := signatureAlgorithmMap[ska.SignatureAlgorithm]; !ok {
+			errs = append(errs, field.Invalid(path, ska, "Invalid signature algorithm provided"))
+		}
 	}
 	return errs
 }
diff --git a/api/kyverno/v1/match_resources_test.go b/api/kyverno/v1/match_resources_test.go
index 84052b645fc2..ff2d11446744 100644
--- a/api/kyverno/v1/match_resources_test.go
+++ b/api/kyverno/v1/match_resources_test.go
@@ -52,7 +52,7 @@ func Test_MatchResources(t *testing.T) {
 			}},
 		},
 		errors: []string{
-			`dummy: Invalid value: v1.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}}}, UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject(nil)}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}}: Can't specify any and all together`,
+			`dummy: Invalid value: v1.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject(nil)}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}: Can't specify any and all together`,
 		},
 	}}
 
diff --git a/api/kyverno/v1/policy_interface.go b/api/kyverno/v1/policy_interface.go
index aec9b7ef2b19..28418daea76a 100644
--- a/api/kyverno/v1/policy_interface.go
+++ b/api/kyverno/v1/policy_interface.go
@@ -10,8 +10,8 @@ import (
 // +kubebuilder:object:generate=false
 type PolicyInterface interface {
 	metav1.Object
+	AdmissionProcessingEnabled() bool
 	BackgroundProcessingEnabled() bool
-	HasAutoGenAnnotation() bool
 	IsNamespaced() bool
 	GetSpec() *Spec
 	GetStatus() *PolicyStatus
@@ -19,5 +19,4 @@ type PolicyInterface interface {
 	GetKind() string
 	CreateDeepCopy() PolicyInterface
 	IsReady() bool
-	ValidateSchema() bool
 }
diff --git a/api/kyverno/v1/policy_status.go b/api/kyverno/v1/policy_status.go
index dbe3eb265579..a19fab99d489 100644
--- a/api/kyverno/v1/policy_status.go
+++ b/api/kyverno/v1/policy_status.go
@@ -6,7 +6,7 @@ import (
 )
 
 const (
-	// Ready means that the policy is ready
+	// PolicyConditionReady means that the policy is ready
 	PolicyConditionReady = "Ready"
 )
 
@@ -17,22 +17,20 @@ const (
 	PolicyReasonFailed = "Failed"
 )
 
-// PolicyStatus mostly contains runtime information related to policy execution.
 // Deprecated. Policy metrics are now available via the "/metrics" endpoint.
 // See: https://kyverno.io/docs/monitoring-kyverno-with-prometheus-metrics/
 type PolicyStatus struct {
-	// Ready indicates if the policy is ready to serve the admission request.
 	// Deprecated in favor of Conditions
 	Ready bool `json:"ready" yaml:"ready"`
-	// Conditions is a list of conditions that apply to the policy
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
-	// Autogen contains autogen status information
 	// +optional
 	Autogen AutogenStatus `json:"autogen" yaml:"autogen"`
-	// RuleCount describes total number of rules in a policy
 	// +optional
 	RuleCount RuleCountStatus `json:"rulecount" yaml:"rulecount"`
+	// ValidatingAdmissionPolicy contains status information
+	// +optional
+	ValidatingAdmissionPolicy ValidatingAdmissionPolicyStatus `json:"validatingadmissionpolicy" yaml:"validatingadmissionpolicy"`
 }
 
 // RuleCountStatus contains four variables which describes counts for
@@ -48,9 +46,10 @@ type RuleCountStatus struct {
 	VerifyImages int `json:"verifyimages" yaml:"verifyimages"`
 }
 
-func (status *PolicyStatus) SetReady(ready bool) {
+func (status *PolicyStatus) SetReady(ready bool, message string) {
 	condition := metav1.Condition{
-		Type: PolicyConditionReady,
+		Type:    PolicyConditionReady,
+		Message: message,
 	}
 	if ready {
 		condition.Status = metav1.ConditionTrue
@@ -74,3 +73,12 @@ type AutogenStatus struct {
 	// Rules is a list of Rule instances. It contains auto generated rules added for pod controllers
 	Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"`
 }
+
+// ValidatingAdmissionPolicy contains status information
+type ValidatingAdmissionPolicyStatus struct {
+	// Generated indicates whether a validating admission policy is generated from the policy or not
+	Generated bool `json:"generated" yaml:"generated"`
+	// Message is a human readable message indicating details about the generation of validating admission policy
+	// It is an empty string when validating admission policy is successfully generated.
+	Message string `json:"message" yaml:"message"`
+}
diff --git a/api/kyverno/v1/policy_test.go b/api/kyverno/v1/policy_test.go
index f374dc9fa952..ec0b417d12d6 100644
--- a/api/kyverno/v1/policy_test.go
+++ b/api/kyverno/v1/policy_test.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"testing"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	"gotest.tools/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -44,7 +45,7 @@ func Test_Policy_Autogen_All(t *testing.T) {
 			Name:      "policy",
 			Namespace: "abcd",
 			Annotations: map[string]string{
-				PodControllersAnnotation: "all",
+				kyverno.AnnotationAutogenControllers: "all",
 			},
 		},
 	}
diff --git a/api/kyverno/v1/policy_types.go b/api/kyverno/v1/policy_types.go
index 37cd3f4af8df..29941d8ab1c4 100644
--- a/api/kyverno/v1/policy_types.go
+++ b/api/kyverno/v1/policy_types.go
@@ -3,6 +3,7 @@ package v1
 import (
 	"strings"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -12,15 +13,16 @@ import (
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
-// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
-// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
-// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
-// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
-// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
-// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
+// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
+// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
+// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
 // +kubebuilder:resource:shortName=pol,categories=kyverno
 // +kubebuilder:storageversion
 
@@ -33,7 +35,6 @@ type Policy struct {
 	// Spec defines policy behaviors and contains one or more rules.
 	Spec Spec `json:"spec" yaml:"spec"`
 
-	// Status contains policy runtime information.
 	// +optional
 	// Deprecated. Policy metrics are available via the metrics endpoint
 	Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"`
@@ -42,7 +43,7 @@ type Policy struct {
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *Policy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
-	val, ok := annotations[PodControllersAnnotation]
+	val, ok := annotations[kyverno.AnnotationAutogenControllers]
 	if ok && strings.ToLower(val) != "none" {
 		return true
 	}
@@ -52,7 +53,7 @@ func (p *Policy) HasAutoGenAnnotation() bool {
 // HasMutateOrValidateOrGenerate checks for rule types
 func (p *Policy) HasMutateOrValidateOrGenerate() bool {
 	for _, rule := range p.Spec.Rules {
-		if rule.HasMutate() || rule.HasValidate() || rule.HasGenerate() {
+		if rule.HasMutateStandard() || rule.HasValidate() || rule.HasGenerate() {
 			return true
 		}
 	}
@@ -79,6 +80,11 @@ func (p *Policy) HasVerifyImages() bool {
 	return p.Spec.HasVerifyImages()
 }
 
+// AdmissionProcessingEnabled checks if admission is set to true
+func (p *Policy) AdmissionProcessingEnabled() bool {
+	return p.Spec.AdmissionProcessingEnabled()
+}
+
 // BackgroundProcessingEnabled checks if background is set to true
 func (p *Policy) BackgroundProcessingEnabled() bool {
 	return p.Spec.BackgroundProcessingEnabled()
@@ -104,22 +110,18 @@ func (p *Policy) IsReady() bool {
 	return p.Status.IsReady()
 }
 
-func (p *Policy) ValidateSchema() bool {
-	return p.Spec.ValidateSchema()
-}
-
 // Validate implements programmatic validation.
 // namespaced means that the policy is bound to a namespace and therefore
 // should not filter/generate cluster wide resources.
 func (p *Policy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, ValidateAutogenAnnotation(field.NewPath("metadata").Child("annotations"), p.GetAnnotations())...)
 	errs = append(errs, ValidatePolicyName(field.NewPath("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.Namespace, clusterResources)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.GetNamespace(), clusterResources)...)
 	return errs
 }
 
 func (p *Policy) GetKind() string {
-	return p.Kind
+	return "Policy"
 }
 
 func (p *Policy) CreateDeepCopy() PolicyInterface {
diff --git a/api/kyverno/v1/register.go b/api/kyverno/v1/register.go
deleted file mode 100755
index 644b7b0bdbfd..000000000000
--- a/api/kyverno/v1/register.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package v1
-
-import (
-	"github.com/kyverno/kyverno/api/kyverno"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v1"}
-
-// Kind takes an unqualified kind and returns back a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	// SchemeBuilder builds the scheme
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
-
-	// AddToScheme adds all types of this clientset into the given scheme
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to Scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&ClusterPolicy{},
-		&ClusterPolicyList{},
-		&GenerateRequest{},
-		&GenerateRequestList{},
-		&Policy{},
-		&PolicyList{},
-	)
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/api/kyverno/v1/resource_description_test.go b/api/kyverno/v1/resource_description_test.go
index 41e7ce9e723b..f66985151ab7 100644
--- a/api/kyverno/v1/resource_description_test.go
+++ b/api/kyverno/v1/resource_description_test.go
@@ -26,7 +26,7 @@ func Test_ResourceDescription(t *testing.T) {
 			Names: []string{"bar", "baz"},
 		},
 		errors: []string{
-			`dummy: Invalid value: v1.ResourceDescription{Kinds:[]string(nil), Name:"foo", Names:[]string{"bar", "baz"}, Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}: Both name and names can not be specified together`,
+			`dummy: Invalid value: v1.ResourceDescription{Kinds:[]string(nil), Name:"foo", Names:[]string{"bar", "baz"}, Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}: Both name and names can not be specified together`,
 		},
 	}, {
 		name:       "selector",
diff --git a/api/kyverno/v1/resource_description_types.go b/api/kyverno/v1/resource_description_types.go
index b57139d11766..35f275fd1d9c 100644
--- a/api/kyverno/v1/resource_description_types.go
+++ b/api/kyverno/v1/resource_description_types.go
@@ -51,6 +51,10 @@ type ResourceDescription struct {
 	// does not match an empty label set.
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
+
+	// Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
+	// +optional
+	Operations []AdmissionOperation `json:"operations,omitempty" yaml:"operations,omitempty"`
 }
 
 func (r ResourceDescription) IsEmpty() bool {
@@ -63,6 +67,14 @@ func (r ResourceDescription) IsEmpty() bool {
 		r.NamespaceSelector == nil
 }
 
+func (r ResourceDescription) GetOperations() []string {
+	ops := []string{}
+	for _, op := range r.Operations {
+		ops = append(ops, string(op))
+	}
+	return ops
+}
+
 // Validate implements programmatic validation
 func (r *ResourceDescription) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
 	if r.Name != "" && len(r.Names) > 0 {
diff --git a/api/kyverno/v1/resource_spec_types.go b/api/kyverno/v1/resource_spec_types.go
index 59890fea7a67..16e2e766e868 100644
--- a/api/kyverno/v1/resource_spec_types.go
+++ b/api/kyverno/v1/resource_spec_types.go
@@ -1,5 +1,12 @@
 package v1
 
+import (
+	"strings"
+
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/types"
+)
+
 type ResourceSpec struct {
 	// APIVersion specifies resource apiVersion.
 	// +optional
@@ -12,9 +19,47 @@ type ResourceSpec struct {
 	// Name specifies the resource name.
 	// +optional
 	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	// UID specifies the resource uid.
+	// +optional
+	UID types.UID `json:"uid,omitempty" yaml:"uid,omitempty"`
 }
 
 func (s ResourceSpec) GetName() string       { return s.Name }
 func (s ResourceSpec) GetNamespace() string  { return s.Namespace }
 func (s ResourceSpec) GetKind() string       { return s.Kind }
 func (s ResourceSpec) GetAPIVersion() string { return s.APIVersion }
+func (s ResourceSpec) GetUID() types.UID     { return s.UID }
+func (s ResourceSpec) GetGroupVersion() (schema.GroupVersion, error) {
+	return schema.ParseGroupVersion(s.APIVersion)
+}
+
+func (s ResourceSpec) String() string {
+	return strings.Join([]string{s.APIVersion, s.Kind, s.Namespace, s.Name}, "/")
+}
+
+// TargetResourceSpec defines targets for mutating existing resources.
+type TargetResourceSpec struct {
+	// ResourceSpec contains the target resources to load when mutating existing resources.
+	ResourceSpec `json:",omitempty" yaml:",omitempty"`
+
+	// Context defines variables and data sources that can be used during rule execution.
+	// +optional
+	Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
+
+	// Preconditions are used to determine if a policy rule should be applied by evaluating a
+	// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+	// of conditions (without `any` or `all` statements is supported for backwards compatibility but
+	// will be deprecated in the next major release.
+	// See: https://kyverno.io/docs/writing-policies/preconditions/
+	// +optional
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
+}
+
+func (r *TargetResourceSpec) GetAnyAllConditions() any {
+	if r.RawAnyAllConditions == nil {
+		return nil
+	}
+	return r.RawAnyAllConditions.Conditions
+}
diff --git a/api/kyverno/v1/rule_test.go b/api/kyverno/v1/rule_test.go
index 57d178d72b5c..f90271a0cb20 100644
--- a/api/kyverno/v1/rule_test.go
+++ b/api/kyverno/v1/rule_test.go
@@ -834,3 +834,306 @@ func Test_Validate_ClusterPolicy_MutateRuleTargetNamespace(t *testing.T) {
 		}
 	}
 }
+
+func Test_Validate_ClusterPolicy_Generate_Variables(t *testing.T) {
+	path := field.NewPath("dummy")
+	testcases := []struct {
+		name       string
+		rule       []byte
+		shouldFail bool
+	}{
+		{
+			name: "clone-name",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "regcred",
+					"namespace": "test",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "{{request.object.metadata.name}}"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "clone-namespace",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "regcred",
+					"namespace": "test",
+					"synchronize": true,
+					"clone": {
+						"namespace": "{{request.object.metadata.name}}",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "cloneList-namespace",
+			rule: []byte(`
+			{
+				"name": "sync-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"namespace": "test",
+					"synchronize": true,
+					"cloneList": {
+						"namespace": "{{request.object.metadata.name}}",
+						"kinds": [
+							"v1/Secret",
+							"v1/ConfigMap"
+						],
+						"selector": {
+							"matchLabels": {
+								"allowedToBeCloned": "true"
+							}
+						}
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "cloneList-kinds",
+			rule: []byte(`
+			{
+				"name": "sync-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"namespace": "test",
+					"synchronize": true,
+					"cloneList": {
+						"namespace": "default",
+						"kinds": [
+							"{{request.object.metadata.kind}}",
+							"v1/ConfigMap"
+						],
+						"selector": {
+							"matchLabels": {
+								"allowedToBeCloned": "true"
+							}
+						}
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "cloneList-selector",
+			rule: []byte(`
+			{
+				"name": "sync-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"namespace": "test",
+					"synchronize": true,
+					"cloneList": {
+						"namespace": "default",
+						"kinds": [
+							"v1/Secret",
+							"v1/ConfigMap"
+						],
+						"selector": {
+							"matchLabels": {
+								"{{request.object.metadata.name}}": "clone"
+							}
+						}
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "generate-downstream-namespace",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "regcred",
+					"namespace": "{{request.object.metadata.name}}",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: false,
+		},
+		{
+			name: "generate-downstream-kind",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "{{request.object.metadata.kind}}",
+					"name": "regcred",
+					"namespace": "default",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "generate-downstream-apiversion",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"kind": "Secret",
+					"apiVersion": "{{request.object.metadata.apiVersion}}",
+					"name": "regcred",
+					"namespace": "default",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "generate-downstream-name",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "{{request.object.metadata.name}}",
+					"namespace": "default",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: false,
+		},
+	}
+
+	for _, testcase := range testcases {
+		var rule *Rule
+		err := json.Unmarshal(testcase.rule, &rule)
+		assert.NilError(t, err, testcase.name)
+		errs := rule.ValidateGenerate(path, false, "", nil)
+		assert.Equal(t, len(errs) != 0, testcase.shouldFail, testcase.name)
+	}
+}
diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go
index 0ab5591c52ed..5a9a457430fa 100644
--- a/api/kyverno/v1/rule_types.go
+++ b/api/kyverno/v1/rule_types.go
@@ -3,12 +3,11 @@ package v1
 import (
 	"encoding/json"
 	"fmt"
-	"reflect"
 
+	"github.com/kyverno/kyverno/ext/wildcard"
 	"github.com/kyverno/kyverno/pkg/pss/utils"
-	wildcard "github.com/kyverno/kyverno/pkg/utils/wildcard"
-	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
-	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	datautils "github.com/kyverno/kyverno/pkg/utils/data"
+	admissionregistrationv1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -32,6 +31,12 @@ type ImageExtractorConfig struct {
 	// Note - this field MUST be unique.
 	// +optional
 	Key string `json:"key,omitempty" yaml:"key,omitempty"`
+	// JMESPath is an optional JMESPath expression to apply to the image value.
+	// This is useful when the extracted image begins with a prefix like 'docker://'.
+	// The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+	// Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+	// +optional
+	JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"`
 }
 
 // Rule defines a validation, mutation, or generation control for matching resources.
@@ -40,7 +45,7 @@ type ImageExtractorConfig struct {
 type Rule struct {
 	// Name is a label to identify the rule, It must be unique within the policy.
 	// +kubebuilder:validation:MaxLength=63
-	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	Name string `json:"name" yaml:"name"`
 
 	// Context defines variables and data sources that can be used during rule execution.
 	// +optional
@@ -69,7 +74,14 @@ type Rule struct {
 	// will be deprecated in the next major release.
 	// See: https://kyverno.io/docs/writing-policies/preconditions/
 	// +optional
-	RawAnyAllConditions *apiextv1.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyAllConditions *ConditionsWrapper `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
+
+	// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+	// set of CEL conditions. It can only be used with the validate.cel subrule
+	// +optional
+	CELPreconditions []admissionregistrationv1alpha1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
 
 	// Mutation is used to modify matching resources.
 	// +optional
@@ -86,84 +98,107 @@ type Rule struct {
 	// VerifyImages is used to verify image signatures and mutate them to add a digest
 	// +optional
 	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
+
+	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+	// The default value is set to "true", it must be set to "false" to apply
+	// generate and mutateExisting rules to those requests.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
 }
 
 // HasMutate checks for mutate rule
 func (r *Rule) HasMutate() bool {
-	return !reflect.DeepEqual(r.Mutation, Mutation{})
+	return !datautils.DeepEqual(r.Mutation, Mutation{})
 }
 
-// HasVerifyImages checks for verifyImages rule
-func (r *Rule) HasVerifyImages() bool {
-	return r.VerifyImages != nil && !reflect.DeepEqual(r.VerifyImages, ImageVerification{})
+// HasMutateStandard checks for standard admission mutate rule
+func (r *Rule) HasMutateStandard() bool {
+	if r.HasMutateExisting() {
+		return false
+	}
+	return !datautils.DeepEqual(r.Mutation, Mutation{})
 }
 
-// HasYAMLSignatureVerify checks for validate.manifests rule
-func (r Rule) HasYAMLSignatureVerify() bool {
-	return r.Validation.Manifests != nil && len(r.Validation.Manifests.Attestors) != 0
+// HasMutateExisting checks if the mutate rule applies to existing resources
+func (r *Rule) HasMutateExisting() bool {
+	return r.Mutation.Targets != nil
 }
 
-// HasImagesValidationChecks checks whether the verifyImages rule has validation checks
-func (r *Rule) HasImagesValidationChecks() bool {
-	for _, v := range r.VerifyImages {
-		if v.VerifyDigest || v.Required {
+// HasVerifyImages checks for verifyImages rule
+func (r *Rule) HasVerifyImages() bool {
+	for _, verifyImage := range r.VerifyImages {
+		if !datautils.DeepEqual(verifyImage, ImageVerification{}) {
 			return true
 		}
 	}
-
 	return false
 }
 
-// HasYAMLSignatureVerify checks for validate rule
-func (p *ClusterPolicy) HasYAMLSignatureVerify() bool {
-	for _, rule := range p.Spec.Rules {
-		if rule.HasYAMLSignatureVerify() {
+// HasVerifyImageChecks checks whether the verifyImages rule has validation checks
+func (r *Rule) HasVerifyImageChecks() bool {
+	for _, verifyImage := range r.VerifyImages {
+		if verifyImage.VerifyDigest || verifyImage.Required {
 			return true
 		}
 	}
-
 	return false
 }
 
+// HasVerifyManifests checks for validate.manifests rule
+func (r Rule) HasVerifyManifests() bool {
+	return r.Validation.Manifests != nil && len(r.Validation.Manifests.Attestors) != 0
+}
+
+// HasValidatePodSecurity checks for validate.podSecurity rule
+func (r Rule) HasValidatePodSecurity() bool {
+	return r.Validation.PodSecurity != nil && !datautils.DeepEqual(r.Validation.PodSecurity, &PodSecurity{})
+}
+
+// HasValidateCEL checks for validate.cel rule
+func (r *Rule) HasValidateCEL() bool {
+	return r.Validation.CEL != nil && !datautils.DeepEqual(r.Validation.CEL, &CEL{})
+}
+
+// HasValidateAssert checks for validate.assert rule
+func (r *Rule) HasValidateAssert() bool {
+	return !datautils.DeepEqual(r.Validation.Assert, AssertionTree{})
+}
+
 // HasValidate checks for validate rule
 func (r *Rule) HasValidate() bool {
-	return !reflect.DeepEqual(r.Validation, Validation{})
+	return !datautils.DeepEqual(r.Validation, Validation{})
 }
 
 // HasGenerate checks for generate rule
 func (r *Rule) HasGenerate() bool {
-	return !reflect.DeepEqual(r.Generation, Generation{})
-}
-
-// IsMutateExisting checks if the mutate rule applies to existing resources
-func (r *Rule) IsMutateExisting() bool {
-	return r.Mutation.Targets != nil
+	return !datautils.DeepEqual(r.Generation, Generation{})
 }
 
 func (r *Rule) IsPodSecurity() bool {
 	return r.Validation.PodSecurity != nil
 }
 
-// IsCloneSyncGenerate checks if the generate rule has the clone block with sync=true
-func (r *Rule) GetCloneSyncForGenerate() (clone bool, sync bool) {
+func (r *Rule) GetTypeAndSyncAndOrphanDownstream() (_ GenerateType, sync bool, orphanDownstream bool) {
 	if !r.HasGenerate() {
 		return
 	}
-
-	if r.Generation.Clone.Name != "" {
-		clone = true
-	}
-
-	sync = r.Generation.Synchronize
-	return
+	return r.Generation.GetTypeAndSyncAndOrphanDownstream()
 }
 
-func (r *Rule) GetAnyAllConditions() apiextensions.JSON {
-	return FromJSON(r.RawAnyAllConditions)
+func (r *Rule) GetAnyAllConditions() any {
+	if r.RawAnyAllConditions == nil {
+		return nil
+	}
+	return r.RawAnyAllConditions.Conditions
 }
 
-func (r *Rule) SetAnyAllConditions(in apiextensions.JSON) {
-	r.RawAnyAllConditions = ToJSON(in)
+func (r *Rule) SetAnyAllConditions(in any) {
+	var new *ConditionsWrapper
+	if in != nil {
+		new = &ConditionsWrapper{in}
+	}
+	r.RawAnyAllConditions = new
 }
 
 // ValidateRuleType checks only one type of rule is defined per rule
@@ -196,14 +231,14 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
 	if len(r.MatchResources.Any) > 0 && len(r.ExcludeResources.Any) > 0 {
 		for _, rmr := range r.MatchResources.Any {
 			for _, rer := range r.ExcludeResources.Any {
-				if reflect.DeepEqual(rmr, rer) {
+				if datautils.DeepEqual(rmr, rer) {
 					return append(errs, field.Invalid(path, r, "Rule is matching an empty set"))
 				}
 			}
 		}
 		return errs
 	}
-	if reflect.DeepEqual(r.ExcludeResources, MatchResources{}) {
+	if datautils.DeepEqual(r.ExcludeResources, MatchResources{}) {
 		return errs
 	}
 	excludeRoles := sets.New(r.ExcludeResources.Roles...)
@@ -341,7 +376,7 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
 		return errs
 	}
 	if r.MatchResources.Annotations != nil && r.ExcludeResources.Annotations != nil {
-		if !(reflect.DeepEqual(r.MatchResources.Annotations, r.ExcludeResources.Annotations)) {
+		if !datautils.DeepEqual(r.MatchResources.Annotations, r.ExcludeResources.Annotations) {
 			return errs
 		}
 	}
@@ -354,7 +389,7 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
 
 // ValidateMutationRuleTargetNamespace checks if the targets are scoped to the policy's namespace
 func (r *Rule) ValidateMutationRuleTargetNamespace(path *field.Path, namespaced bool, policyNamespace string) (errs field.ErrorList) {
-	if r.HasMutate() && namespaced {
+	if r.HasMutateExisting() && namespaced {
 		for idx, target := range r.Mutation.Targets {
 			if target.Namespace != "" && target.Namespace != policyNamespace {
 				errs = append(errs, field.Invalid(path.Child("targets").Index(idx).Child("namespace"), target.Namespace, "This field can be ignored or should have value of the namespace where the policy is being created"))
@@ -373,16 +408,7 @@ func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList)
 		}
 
 		for idx, exclude := range podSecurity.Exclude {
-			// container level control must specify images
-			if containsString(utils.PSS_container_level_control, exclude.ControlName) {
-				if len(exclude.Images) == 0 {
-					errs = append(errs, field.Invalid(path.Child("podSecurity").Child("exclude").Index(idx).Child("controlName"), exclude.ControlName, "exclude.images must be specified for the container level control"))
-				}
-			} else if containsString(utils.PSS_pod_level_control, exclude.ControlName) {
-				if len(exclude.Images) != 0 {
-					errs = append(errs, field.Invalid(path.Child("podSecurity").Child("exclude").Index(idx).Child("controlName"), exclude.ControlName, "exclude.images must not be specified for the pod level control"))
-				}
-			}
+			errs = append(errs, exclude.Validate(path.Child("podSecurity").Child("exclude").Index(idx))...)
 
 			if containsString([]string{"Seccomp", "Capabilities"}, exclude.ControlName) {
 				continue
@@ -396,6 +422,14 @@ func (r *Rule) ValidatePSaControlNames(path *field.Path) (errs field.ErrorList)
 	return errs
 }
 
+func (r *Rule) ValidateGenerate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if !r.HasGenerate() {
+		return nil
+	}
+
+	return r.Generation.Validate(path, namespaced, policyNamespace, clusterResources)
+}
+
 // Validate implements programmatic validation
 func (r *Rule) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, r.ValidateRuleType(path)...)
@@ -404,5 +438,6 @@ func (r *Rule) Validate(path *field.Path, namespaced bool, policyNamespace strin
 	errs = append(errs, r.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
 	errs = append(errs, r.ValidateMutationRuleTargetNamespace(path, namespaced, policyNamespace)...)
 	errs = append(errs, r.ValidatePSaControlNames(path)...)
+	errs = append(errs, r.ValidateGenerate(path, namespaced, policyNamespace, clusterResources)...)
 	return errs
 }
diff --git a/api/kyverno/v1/spec_types.go b/api/kyverno/v1/spec_types.go
index 4b76600ace7b..901cf0f6514d 100644
--- a/api/kyverno/v1/spec_types.go
+++ b/api/kyverno/v1/spec_types.go
@@ -1,9 +1,11 @@
 package v1
 
 import (
+	"context"
 	"fmt"
 
 	"github.com/kyverno/kyverno/pkg/toggle"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -14,15 +16,20 @@ type ValidationFailureAction string
 
 // Policy Reporting Modes
 const (
+	// auditOld doesn't block the request on failure
+	// DEPRECATED: use Audit instead
+	auditOld ValidationFailureAction = "audit"
 	// enforceOld blocks the request on failure
-	// DEPRECATED: use enforce instead
+	// DEPRECATED: use Enforce instead
 	enforceOld ValidationFailureAction = "enforce"
-	// enforce blocks the request on failure
-	enforce ValidationFailureAction = "Enforce"
+	// Enforce blocks the request on failure
+	Enforce ValidationFailureAction = "Enforce"
+	// Audit doesn't block the request on failure
+	Audit ValidationFailureAction = "Audit"
 )
 
 func (a ValidationFailureAction) Enforce() bool {
-	return a == enforce || a == enforceOld
+	return a == Enforce || a == enforceOld
 }
 
 func (a ValidationFailureAction) Audit() bool {
@@ -30,8 +37,7 @@ func (a ValidationFailureAction) Audit() bool {
 }
 
 func (a ValidationFailureAction) IsValid() bool {
-	// ValidationFailureAction should either be enforce / audit
-	return a.Enforce() || a.Audit()
+	return a == enforceOld || a == auditOld || a == Enforce || a == Audit
 }
 
 type ValidationFailureActionOverride struct {
@@ -54,27 +60,23 @@ type Spec struct {
 	// +optional
 	ApplyRules *ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
 
-	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
-	// Rules within the same policy share the same failure behavior.
-	// This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
-	// Allowed values are Ignore or Fail. Defaults to Fail.
-	// +optional
+	// Deprecated, use failurePolicy under the webhookConfiguration instead.
 	FailurePolicy *FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
 
-	// ValidationFailureAction defines if a validation policy rule violation should block
-	// the admission review request (enforce), or allow (audit) the admission review request
-	// and report an error in a policy report. Optional.
-	// Allowed values are audit or enforce. The default value is "Audit".
-	// +optional
+	// Deprecated, use validationFailureAction under the validate rule instead.
 	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
 	// +kubebuilder:default=Audit
 	ValidationFailureAction ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
 
-	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
-	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
-	// +optional
+	// Deprecated, use validationFailureActionOverrides under the validate rule instead.
 	ValidationFailureActionOverrides []ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
 
+	// Admission controls if rules are applied during admission.
+	// Optional. Default value is "true".
+	// +optional
+	// +kubebuilder:default=true
+	Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`
+
 	// Background controls if rules are applied to existing resources during a background scan.
 	// Optional. Default value is "true". The value must be set to "false" if the policy rule
 	// uses variables that are only available in the admission review request (e.g. user name).
@@ -82,26 +84,37 @@ type Spec struct {
 	// +kubebuilder:default=true
 	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
 
-	// SchemaValidation skips validation checks for policies as well as patched resources.
-	// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
-	// +optional
+	// Deprecated.
 	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
 
-	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
-	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
-	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+	// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
 	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
 
-	// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
-	// Default value is "false".
+	// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
 	// +optional
 	MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
 
-	// GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources
-	// If is set to "true" generate rule will be triggered and applied to existing matched resources.
+	// Deprecated, use generateExisting instead
+	// +optional
+	GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
+
+	// Deprecated, use generateExisting under the generate rule instead
+	// +optional
+	GenerateExisting bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`
+
+	// UseServerSideApply controls whether to use server-side apply for generate rules
+	// If is set to "true" create & update for generate rules will use apply instead of create/update.
 	// Defaults to "false" if not specified.
 	// +optional
-	GenerateExistingOnPolicyUpdate bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
+	UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
+
+	// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+	// +optional
+	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
+}
+
+func (s *Spec) CustomWebhookMatchConditions() bool {
+	return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
 }
 
 func (s *Spec) SetRules(rules []Rule) {
@@ -125,7 +138,26 @@ func (s *Spec) HasMutate() bool {
 			return true
 		}
 	}
+	return false
+}
+
+// HasMutateStandard checks for standard admission mutate rule
+func (s *Spec) HasMutateStandard() bool {
+	for _, rule := range s.Rules {
+		if rule.HasMutateStandard() {
+			return true
+		}
+	}
+	return false
+}
 
+// HasMutateExisting checks for mutate existing rule types
+func (s *Spec) HasMutateExisting() bool {
+	for _, rule := range s.Rules {
+		if rule.HasMutateExisting() {
+			return true
+		}
+	}
 	return false
 }
 
@@ -136,10 +168,22 @@ func (s *Spec) HasValidate() bool {
 			return true
 		}
 	}
-
 	return false
 }
 
+// HasValidateEnforce checks if the policy has any validate rules with enforce action
+func (s *Spec) HasValidateEnforce() bool {
+	for _, rule := range s.Rules {
+		if rule.HasValidate() {
+			action := rule.Validation.ValidationFailureAction
+			if action != nil && action.Enforce() {
+				return true
+			}
+		}
+	}
+	return s.ValidationFailureAction.Enforce()
+}
+
 // HasGenerate checks for generate rule types
 func (s *Spec) HasGenerate() bool {
 	for _, rule := range s.Rules {
@@ -147,18 +191,16 @@ func (s *Spec) HasGenerate() bool {
 			return true
 		}
 	}
-
 	return false
 }
 
-// HasImagesValidationChecks checks for image verification rules invoked during resource validation
-func (s *Spec) HasImagesValidationChecks() bool {
+// HasVerifyImageChecks checks for image verification rules invoked during resource validation
+func (s *Spec) HasVerifyImageChecks() bool {
 	for _, rule := range s.Rules {
-		if rule.HasImagesValidationChecks() {
+		if rule.HasVerifyImageChecks() {
 			return true
 		}
 	}
-
 	return false
 }
 
@@ -169,61 +211,93 @@ func (s *Spec) HasVerifyImages() bool {
 			return true
 		}
 	}
-
 	return false
 }
 
-// HasYAMLSignatureVerify checks for image verification rules invoked during resource mutation
-func (s *Spec) HasYAMLSignatureVerify() bool {
+// HasVerifyManifests checks for image verification rules invoked during resource mutation
+func (s *Spec) HasVerifyManifests() bool {
 	for _, rule := range s.Rules {
-		if rule.HasYAMLSignatureVerify() {
+		if rule.HasVerifyManifests() {
 			return true
 		}
 	}
-
 	return false
 }
 
+// AdmissionProcessingEnabled checks if admission is set to true
+func (s *Spec) AdmissionProcessingEnabled() bool {
+	if s.Admission == nil {
+		return true
+	}
+
+	return *s.Admission
+}
+
 // BackgroundProcessingEnabled checks if background is set to true
 func (s *Spec) BackgroundProcessingEnabled() bool {
 	if s.Background == nil {
 		return true
 	}
-
 	return *s.Background
 }
 
-// IsMutateExisting checks if the mutate policy applies to existing resources
-func (s *Spec) IsMutateExisting() bool {
+// GetMutateExistingOnPolicyUpdate returns true if any of the rules have MutateExistingOnPolicyUpdate set to true
+func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
 	for _, rule := range s.Rules {
-		if rule.IsMutateExisting() {
-			return true
+		if rule.HasMutate() {
+			isMutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate
+			if isMutateExisting != nil && *isMutateExisting {
+				return true
+			}
 		}
 	}
-	return false
-}
-
-// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
-func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
 	return s.MutateExistingOnPolicyUpdate
 }
 
-// IsGenerateExistingOnPolicyUpdate return GenerateExistingOnPolicyUpdate set value
-func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool {
-	return s.GenerateExistingOnPolicyUpdate
+// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true
+func (s *Spec) IsGenerateExisting() bool {
+	for _, rule := range s.Rules {
+		if rule.HasGenerate() {
+			isGenerateExisting := rule.Generation.GenerateExisting
+			if isGenerateExisting != nil && *isGenerateExisting {
+				return true
+			}
+		}
+	}
+	return s.GenerateExisting
 }
 
 // GetFailurePolicy returns the failure policy to be applied
-func (s *Spec) GetFailurePolicy() FailurePolicyType {
-	if toggle.ForceFailurePolicyIgnore.Enabled() {
+func (s *Spec) GetFailurePolicy(ctx context.Context) FailurePolicyType {
+	if toggle.FromContext(ctx).ForceFailurePolicyIgnore() {
 		return Ignore
-	} else if s.FailurePolicy == nil {
-		return Fail
+	} else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		return *s.WebhookConfiguration.FailurePolicy
+	} else if s.FailurePolicy != nil {
+		return *s.FailurePolicy
 	}
-	return *s.FailurePolicy
+	return Fail
 }
 
-// GetFailurePolicy returns the failure policy to be applied
+func (s *Spec) GetWebhookTimeoutSeconds() *int32 {
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		return s.WebhookConfiguration.TimeoutSeconds
+	}
+	if s.WebhookTimeoutSeconds != nil {
+		return s.WebhookTimeoutSeconds
+	}
+	return nil
+}
+
+// GetMatchConditions returns matchConditions in webhookConfiguration
+func (s *Spec) GetMatchConditions() []admissionregistrationv1.MatchCondition {
+	if s.WebhookConfiguration != nil {
+		return s.WebhookConfiguration.MatchConditions
+	}
+	return nil
+}
+
+// GetApplyRules returns the apply rules type
 func (s *Spec) GetApplyRules() ApplyRulesType {
 	if s.ApplyRules == nil {
 		return ApplyAll
@@ -231,13 +305,6 @@ func (s *Spec) GetApplyRules() ApplyRulesType {
 	return *s.ApplyRules
 }
 
-func (s *Spec) ValidateSchema() bool {
-	if s.SchemaValidation != nil {
-		return *s.SchemaValidation
-	}
-	return true
-}
-
 // ValidateRuleNames checks if the rule names are unique across a policy
 func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList) {
 	names := sets.New[string]()
@@ -254,14 +321,57 @@ func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList) {
 // ValidateRules implements programmatic validation of Rules
 func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, s.ValidateRuleNames(path)...)
+
 	for i, rule := range s.Rules {
 		errs = append(errs, rule.Validate(path.Index(i), namespaced, policyNamespace, clusterResources)...)
 	}
 	return errs
 }
 
+func (s *Spec) validateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
+	if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead"))
+	}
+
+	if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
+	}
+
+	if s.GenerateExistingOnPolicyUpdate != nil {
+		errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
+	}
+	return errs
+}
+
+func (s *Spec) validateMutateTargets(path *field.Path) (errs field.ErrorList) {
+	for i, rule := range s.Rules {
+		if !rule.HasMutate() {
+			continue
+		}
+		mutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate
+		if s.MutateExistingOnPolicyUpdate || (mutateExisting != nil && *mutateExisting) {
+			if len(rule.Mutation.Targets) == 0 {
+				errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), fmt.Sprintf("rules[%v].mutate.targets has to be specified when mutateExistingOnPolicyUpdate is set", i)))
+			}
+		}
+	}
+	return errs
+}
+
 // Validate implements programmatic validation
 func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if err := s.validateDeprecatedFields(path); err != nil {
+		errs = append(errs, err...)
+	}
+	if err := s.validateMutateTargets(path); err != nil {
+		errs = append(errs, err...)
+	}
+	if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) {
+		errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) {
+		errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
 	errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
 	if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
 		errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))
diff --git a/api/kyverno/v1/user_info_types.go b/api/kyverno/v1/user_info_types.go
index 32c3505b288a..2d1292fe8d7e 100644
--- a/api/kyverno/v1/user_info_types.go
+++ b/api/kyverno/v1/user_info_types.go
@@ -35,6 +35,8 @@ func (u *UserInfo) ValidateSubjects(path *field.Path) (errs field.ErrorList) {
 		entry := path.Index(index)
 		if subject.Kind == "" {
 			errs = append(errs, field.Required(entry.Child("kind"), ""))
+		} else if subject.Kind != rbacv1.GroupKind && subject.Kind != rbacv1.ServiceAccountKind && subject.Kind != rbacv1.UserKind {
+			errs = append(errs, field.Invalid(entry.Child("kind"), subject.Kind, "kind must be 'User', 'Group', or 'ServiceAccount'"))
 		}
 		if subject.Name == "" {
 			errs = append(errs, field.Required(entry.Child("name"), ""))
diff --git a/api/kyverno/v1/utils.go b/api/kyverno/v1/utils.go
index e6623f1054ec..ddf3bab9ce99 100755
--- a/api/kyverno/v1/utils.go
+++ b/api/kyverno/v1/utils.go
@@ -1,6 +1,7 @@
 package v1
 
 import (
+	"github.com/kyverno/kyverno/api/kyverno"
 	log "github.com/kyverno/kyverno/pkg/logging"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
 	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -28,7 +29,7 @@ func ToJSON(in apiextensions.JSON) *apiextv1.JSON {
 
 // ValidatePolicyName validates policy name
 func ValidateAutogenAnnotation(path *field.Path, annotations map[string]string) (errs field.ErrorList) {
-	value, ok := annotations[PodControllersAnnotation]
+	value, ok := annotations[kyverno.AnnotationAutogenControllers]
 	if ok {
 		if value == "all" {
 			errs = append(errs, field.Forbidden(path, "Autogen annotation does not support 'all' anymore, remove the annotation or set it to a valid value"))
diff --git a/api/kyverno/v1/violated_rule_types.go b/api/kyverno/v1/violated_rule_types.go
deleted file mode 100755
index 945cf419cb87..000000000000
--- a/api/kyverno/v1/violated_rule_types.go
+++ /dev/null
@@ -1,17 +0,0 @@
-package v1
-
-// ViolatedRule stores the information regarding the rule.
-type ViolatedRule struct {
-	// Name specifies violated rule name.
-	Name string `json:"name" yaml:"name"`
-
-	// Type specifies violated rule type.
-	Type string `json:"type" yaml:"type"`
-
-	// Message specifies violation message.
-	// +optional
-	Message string `json:"message" yaml:"message"`
-
-	// Status shows the rule response status
-	Status string `json:"status" yaml:"status"`
-}
diff --git a/api/kyverno/v1/wrappers.go b/api/kyverno/v1/wrappers.go
new file mode 100644
index 000000000000..4ea7542f3387
--- /dev/null
+++ b/api/kyverno/v1/wrappers.go
@@ -0,0 +1,125 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/jinzhu/copier"
+)
+
+// ForEachValidationWrapper contains a list of ForEach descriptors.
+// +k8s:deepcopy-gen=false
+type ForEachValidationWrapper struct {
+	// Item is a descriptor on how to iterate over the list of items.
+	// +optional
+	Items []ForEachValidation `json:"-"`
+}
+
+func (in *ForEachValidationWrapper) DeepCopyInto(out *ForEachValidationWrapper) {
+	if err := copier.Copy(out, in); err != nil {
+		panic("deep copy failed")
+	}
+}
+
+func (in *ForEachValidationWrapper) DeepCopy() *ForEachValidationWrapper {
+	if in == nil {
+		return nil
+	}
+	out := new(ForEachValidationWrapper)
+	in.DeepCopyInto(out)
+	return out
+}
+
+func (a *ForEachValidationWrapper) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.Items)
+}
+
+func (a *ForEachValidationWrapper) UnmarshalJSON(data []byte) error {
+	var res []ForEachValidation
+	if err := json.Unmarshal(data, &res); err != nil {
+		return err
+	}
+	a.Items = res
+	return nil
+}
+
+// ForEachMutationWrapper contains a list of ForEach descriptors.
+// +k8s:deepcopy-gen=false
+type ForEachMutationWrapper struct {
+	// Item is a descriptor on how to iterate over the list of items.
+	// +optional
+	Items []ForEachMutation `json:"-"`
+}
+
+func (in *ForEachMutationWrapper) DeepCopyInto(out *ForEachMutationWrapper) {
+	if err := copier.Copy(out, in); err != nil {
+		panic("deep copy failed")
+	}
+}
+
+func (in *ForEachMutationWrapper) DeepCopy() *ForEachMutationWrapper {
+	if in == nil {
+		return nil
+	}
+	out := new(ForEachMutationWrapper)
+	in.DeepCopyInto(out)
+	return out
+}
+
+func (a *ForEachMutationWrapper) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.Items)
+}
+
+func (a *ForEachMutationWrapper) UnmarshalJSON(data []byte) error {
+	var res []ForEachMutation
+	if err := json.Unmarshal(data, &res); err != nil {
+		return err
+	}
+	a.Items = res
+	return nil
+}
+
+// ConditionsWrapper contains either the deprecated list of Conditions or the new AnyAll Conditions.
+// +k8s:deepcopy-gen=false
+type ConditionsWrapper struct {
+	// Conditions is a list of conditions that must be satisfied for the rule to be applied.
+	// +optional
+	Conditions any `json:"-"`
+}
+
+func (in *ConditionsWrapper) DeepCopyInto(out *ConditionsWrapper) {
+	if err := copier.Copy(out, in); err != nil {
+		panic("deep copy failed")
+	}
+}
+
+func (in *ConditionsWrapper) DeepCopy() *ConditionsWrapper {
+	if in == nil {
+		return nil
+	}
+	out := new(ConditionsWrapper)
+	in.DeepCopyInto(out)
+	return out
+}
+
+func (a *ConditionsWrapper) MarshalJSON() ([]byte, error) {
+	return json.Marshal(a.Conditions)
+}
+
+func (a *ConditionsWrapper) UnmarshalJSON(data []byte) error {
+	var err error
+
+	var kyvernoOldConditions []Condition
+	if err = json.Unmarshal(data, &kyvernoOldConditions); err == nil {
+		a.Conditions = kyvernoOldConditions
+		return nil
+	}
+
+	var kyvernoAnyAllConditions AnyAllConditions
+	if err = json.Unmarshal(data, &kyvernoAnyAllConditions); err == nil {
+		a.Conditions = kyvernoAnyAllConditions
+		return nil
+	}
+
+	return fmt.Errorf("failed to unmarshal Conditions")
+}
diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go
index 77399dfccc9f..c6feffb85c66 100755
--- a/api/kyverno/v1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1/zz_generated.deepcopy.go
@@ -17,26 +17,36 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by controller-gen. DO NOT EDIT.
+// Code generated by deepcopy-gen. DO NOT EDIT.
 
 package v1
 
 import (
-	"github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
+	k8smanifest "github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
+	v1alpha1 "k8s.io/api/admissionregistration/v1alpha1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *APICall) DeepCopyInto(out *APICall) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = make([]RequestData, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Service != nil {
 		in, out := &in.Service, &out.Service
 		*out = new(ServiceCall)
-		(*in).DeepCopyInto(*out)
+		**out = **in
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APICall.
@@ -49,21 +59,6 @@ func (in *APICall) DeepCopy() *APICall {
 	return out
 }
 
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObject) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.
-func (in *AdmissionRequestInfoObject) DeepCopy() *AdmissionRequestInfoObject {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionRequestInfoObject)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) {
 	*out = *in
@@ -81,6 +76,7 @@ func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
@@ -110,6 +106,7 @@ func (in *Attestation) DeepCopyInto(out *Attestation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.
@@ -152,6 +149,7 @@ func (in *Attestor) DeepCopyInto(out *Attestor) {
 			(*out)[key] = val
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestor.
@@ -179,6 +177,7 @@ func (in *AttestorSet) DeepCopyInto(out *AttestorSet) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttestorSet.
@@ -201,6 +200,7 @@ func (in *AutogenStatus) DeepCopyInto(out *AutogenStatus) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutogenStatus.
@@ -213,9 +213,53 @@ func (in *AutogenStatus) DeepCopy() *AutogenStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CEL) DeepCopyInto(out *CEL) {
+	*out = *in
+	if in.Expressions != nil {
+		in, out := &in.Expressions, &out.Expressions
+		*out = make([]v1alpha1.Validation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ParamKind != nil {
+		in, out := &in.ParamKind, &out.ParamKind
+		*out = new(v1alpha1.ParamKind)
+		**out = **in
+	}
+	if in.ParamRef != nil {
+		in, out := &in.ParamRef, &out.ParamRef
+		*out = new(v1alpha1.ParamRef)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.AuditAnnotations != nil {
+		in, out := &in.AuditAnnotations, &out.AuditAnnotations
+		*out = make([]v1alpha1.AuditAnnotation, len(*in))
+		copy(*out, *in)
+	}
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make([]v1alpha1.Variable, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CEL.
+func (in *CEL) DeepCopy() *CEL {
+	if in == nil {
+		return nil
+	}
+	out := new(CEL)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CTLog) DeepCopyInto(out *CTLog) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CTLog.
@@ -233,9 +277,15 @@ func (in *CertificateAttestor) DeepCopyInto(out *CertificateAttestor) {
 	*out = *in
 	if in.Rekor != nil {
 		in, out := &in.Rekor, &out.Rekor
+		*out = new(Rekor)
+		**out = **in
+	}
+	if in.CTLog != nil {
+		in, out := &in.CTLog, &out.CTLog
 		*out = new(CTLog)
 		**out = **in
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAttestor.
@@ -251,6 +301,7 @@ func (in *CertificateAttestor) DeepCopy() *CertificateAttestor {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloneFrom) DeepCopyInto(out *CloneFrom) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneFrom.
@@ -276,6 +327,7 @@ func (in *CloneList) DeepCopyInto(out *CloneList) {
 		*out = new(metav1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneList.
@@ -295,6 +347,7 @@ func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.
@@ -327,6 +380,7 @@ func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.
@@ -360,6 +414,7 @@ func (in *Condition) DeepCopyInto(out *Condition) {
 		*out = new(apiextensionsv1.JSON)
 		(*in).DeepCopyInto(*out)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
@@ -375,6 +430,7 @@ func (in *Condition) DeepCopy() *Condition {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.
@@ -387,6 +443,23 @@ func (in *ConfigMapReference) DeepCopy() *ConfigMapReference {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ContextAPICall) DeepCopyInto(out *ContextAPICall) {
+	*out = *in
+	in.APICall.DeepCopyInto(&out.APICall)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextAPICall.
+func (in *ContextAPICall) DeepCopy() *ContextAPICall {
+	if in == nil {
+		return nil
+	}
+	out := new(ContextAPICall)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
 	*out = *in
@@ -397,19 +470,25 @@ func (in *ContextEntry) DeepCopyInto(out *ContextEntry) {
 	}
 	if in.APICall != nil {
 		in, out := &in.APICall, &out.APICall
-		*out = new(APICall)
+		*out = new(ContextAPICall)
 		(*in).DeepCopyInto(*out)
 	}
 	if in.ImageRegistry != nil {
 		in, out := &in.ImageRegistry, &out.ImageRegistry
 		*out = new(ImageRegistry)
-		**out = **in
+		(*in).DeepCopyInto(*out)
 	}
 	if in.Variable != nil {
 		in, out := &in.Variable, &out.Variable
 		*out = new(Variable)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.GlobalReference != nil {
+		in, out := &in.GlobalReference, &out.GlobalReference
+		*out = new(GlobalContextEntryReference)
+		**out = **in
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextEntry.
@@ -427,9 +506,9 @@ func (in *Deny) DeepCopyInto(out *Deny) {
 	*out = *in
 	if in.RawAnyAllConditions != nil {
 		in, out := &in.RawAnyAllConditions, &out.RawAnyAllConditions
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.
@@ -445,6 +524,7 @@ func (in *Deny) DeepCopy() *Deny {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DryRunOption) DeepCopyInto(out *DryRunOption) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DryRunOption.
@@ -460,6 +540,11 @@ func (in *DryRunOption) DeepCopy() *DryRunOption {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) {
 	*out = *in
+	if in.Order != nil {
+		in, out := &in.Order, &out.Order
+		*out = new(ForeachOrder)
+		**out = **in
+	}
 	if in.Context != nil {
 		in, out := &in.Context, &out.Context
 		*out = make([]ContextEntry, len(*in))
@@ -474,14 +559,13 @@ func (in *ForEachMutation) DeepCopyInto(out *ForEachMutation) {
 	}
 	if in.RawPatchStrategicMerge != nil {
 		in, out := &in.RawPatchStrategicMerge, &out.RawPatchStrategicMerge
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
 	if in.ForEachMutation != nil {
 		in, out := &in.ForEachMutation, &out.ForEachMutation
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForEachMutation.
@@ -531,9 +615,9 @@ func (in *ForEachValidation) DeepCopyInto(out *ForEachValidation) {
 	}
 	if in.ForEachValidation != nil {
 		in, out := &in.ForEachValidation, &out.ForEachValidation
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForEachValidation.
@@ -547,137 +631,46 @@ func (in *ForEachValidation) DeepCopy() *ForEachValidation {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GenerateRequest) DeepCopyInto(out *GenerateRequest) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequest.
-func (in *GenerateRequest) DeepCopy() *GenerateRequest {
-	if in == nil {
-		return nil
-	}
-	out := new(GenerateRequest)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *GenerateRequest) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GenerateRequestContext) DeepCopyInto(out *GenerateRequestContext) {
-	*out = *in
-	in.UserRequestInfo.DeepCopyInto(&out.UserRequestInfo)
-	out.AdmissionRequestInfo = in.AdmissionRequestInfo
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestContext.
-func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext {
-	if in == nil {
-		return nil
-	}
-	out := new(GenerateRequestContext)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList) {
+func (in *Generation) DeepCopyInto(out *Generation) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]GenerateRequest, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestList.
-func (in *GenerateRequestList) DeepCopy() *GenerateRequestList {
-	if in == nil {
-		return nil
+	if in.GenerateExisting != nil {
+		in, out := &in.GenerateExisting, &out.GenerateExisting
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(GenerateRequestList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *GenerateRequestList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	out.ResourceSpec = in.ResourceSpec
+	if in.RawData != nil {
+		in, out := &in.RawData, &out.RawData
+		*out = new(apiextensionsv1.JSON)
+		(*in).DeepCopyInto(*out)
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GenerateRequestSpec) DeepCopyInto(out *GenerateRequestSpec) {
-	*out = *in
-	out.Resource = in.Resource
-	in.Context.DeepCopyInto(&out.Context)
+	out.Clone = in.Clone
+	in.CloneList.DeepCopyInto(&out.CloneList)
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestSpec.
-func (in *GenerateRequestSpec) DeepCopy() *GenerateRequestSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Generation.
+func (in *Generation) DeepCopy() *Generation {
 	if in == nil {
 		return nil
 	}
-	out := new(GenerateRequestSpec)
+	out := new(Generation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GenerateRequestStatus) DeepCopyInto(out *GenerateRequestStatus) {
+func (in *GlobalContextEntryReference) DeepCopyInto(out *GlobalContextEntryReference) {
 	*out = *in
-	if in.GeneratedResources != nil {
-		in, out := &in.GeneratedResources, &out.GeneratedResources
-		*out = make([]ResourceSpec, len(*in))
-		copy(*out, *in)
-	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestStatus.
-func (in *GenerateRequestStatus) DeepCopy() *GenerateRequestStatus {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalContextEntryReference.
+func (in *GlobalContextEntryReference) DeepCopy() *GlobalContextEntryReference {
 	if in == nil {
 		return nil
 	}
-	out := new(GenerateRequestStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Generation) DeepCopyInto(out *Generation) {
-	*out = *in
-	out.ResourceSpec = in.ResourceSpec
-	if in.RawData != nil {
-		in, out := &in.RawData, &out.RawData
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
-	}
-	out.Clone = in.Clone
-	in.CloneList.DeepCopyInto(&out.CloneList)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Generation.
-func (in *Generation) DeepCopy() *Generation {
-	if in == nil {
-		return nil
-	}
-	out := new(Generation)
+	out := new(GlobalContextEntryReference)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -690,6 +683,7 @@ func (in IgnoreFieldList) DeepCopyInto(out *IgnoreFieldList) {
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
+		return
 	}
 }
 
@@ -706,6 +700,7 @@ func (in IgnoreFieldList) DeepCopy() IgnoreFieldList {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageExtractorConfig) DeepCopyInto(out *ImageExtractorConfig) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageExtractorConfig.
@@ -734,6 +729,7 @@ func (in ImageExtractorConfigs) DeepCopyInto(out *ImageExtractorConfigs) {
 			}
 			(*out)[key] = outVal
 		}
+		return
 	}
 }
 
@@ -750,6 +746,12 @@ func (in ImageExtractorConfigs) DeepCopy() ImageExtractorConfigs {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageRegistry) DeepCopyInto(out *ImageRegistry) {
 	*out = *in
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistry.
@@ -762,14 +764,50 @@ func (in *ImageRegistry) DeepCopy() *ImageRegistry {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ImageRegistryCredentials) DeepCopyInto(out *ImageRegistryCredentials) {
+	*out = *in
+	if in.Providers != nil {
+		in, out := &in.Providers, &out.Providers
+		*out = make([]ImageRegistryCredentialsProvidersType, len(*in))
+		copy(*out, *in)
+	}
+	if in.Secrets != nil {
+		in, out := &in.Secrets, &out.Secrets
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRegistryCredentials.
+func (in *ImageRegistryCredentials) DeepCopy() *ImageRegistryCredentials {
+	if in == nil {
+		return nil
+	}
+	out := new(ImageRegistryCredentials)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 	*out = *in
+	if in.ValidationFailureAction != nil {
+		in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
+		*out = new(ValidationFailureAction)
+		**out = **in
+	}
 	if in.ImageReferences != nil {
 		in, out := &in.ImageReferences, &out.ImageReferences
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.SkipImageReferences != nil {
+		in, out := &in.SkipImageReferences, &out.SkipImageReferences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.AdditionalExtensions != nil {
 		in, out := &in.AdditionalExtensions, &out.AdditionalExtensions
 		*out = make(map[string]string, len(*in))
@@ -798,6 +836,12 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 			(*out)[key] = val
 		}
 	}
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
@@ -815,6 +859,11 @@ func (in *KeylessAttestor) DeepCopyInto(out *KeylessAttestor) {
 	*out = *in
 	if in.Rekor != nil {
 		in, out := &in.Rekor, &out.Rekor
+		*out = new(Rekor)
+		**out = **in
+	}
+	if in.CTLog != nil {
+		in, out := &in.CTLog, &out.CTLog
 		*out = new(CTLog)
 		**out = **in
 	}
@@ -825,6 +874,7 @@ func (in *KeylessAttestor) DeepCopyInto(out *KeylessAttestor) {
 			(*out)[key] = val
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeylessAttestor.
@@ -855,6 +905,7 @@ func (in *Manifests) DeepCopyInto(out *Manifests) {
 		}
 	}
 	out.DryRunOption = in.DryRunOption
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Manifests.
@@ -886,6 +937,7 @@ func (in *MatchResources) DeepCopyInto(out *MatchResources) {
 	}
 	in.UserInfo.DeepCopyInto(&out.UserInfo)
 	in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
@@ -901,10 +953,17 @@ func (in *MatchResources) DeepCopy() *MatchResources {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Mutation) DeepCopyInto(out *Mutation) {
 	*out = *in
+	if in.MutateExistingOnPolicyUpdate != nil {
+		in, out := &in.MutateExistingOnPolicyUpdate, &out.MutateExistingOnPolicyUpdate
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Targets != nil {
 		in, out := &in.Targets, &out.Targets
-		*out = make([]ResourceSpec, len(*in))
-		copy(*out, *in)
+		*out = make([]TargetResourceSpec, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	if in.RawPatchStrategicMerge != nil {
 		in, out := &in.RawPatchStrategicMerge, &out.RawPatchStrategicMerge
@@ -918,6 +977,7 @@ func (in *Mutation) DeepCopyInto(out *Mutation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mutation.
@@ -943,6 +1003,7 @@ func (in *ObjectFieldBinding) DeepCopyInto(out *ObjectFieldBinding) {
 		*out = make(k8smanifest.ObjectReferenceList, len(*in))
 		copy(*out, *in)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectFieldBinding.
@@ -965,6 +1026,7 @@ func (in *PodSecurity) DeepCopyInto(out *PodSecurity) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurity.
@@ -985,6 +1047,12 @@ func (in *PodSecurityStandard) DeepCopyInto(out *PodSecurityStandard) {
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityStandard.
@@ -1004,6 +1072,7 @@ func (in *Policy) DeepCopyInto(out *Policy) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
@@ -1036,6 +1105,7 @@ func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.
@@ -1068,6 +1138,8 @@ func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus) {
 	}
 	in.Autogen.DeepCopyInto(&out.Autogen)
 	out.RuleCount = in.RuleCount
+	out.ValidatingAdmissionPolicy = in.ValidatingAdmissionPolicy
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.
@@ -1081,47 +1153,38 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RequestData) DeepCopyInto(out *RequestData) {
+func (in *Rekor) DeepCopyInto(out *Rekor) {
 	*out = *in
-	if in.Value != nil {
-		in, out := &in.Value, &out.Value
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
-	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestData.
-func (in *RequestData) DeepCopy() *RequestData {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rekor.
+func (in *Rekor) DeepCopy() *Rekor {
 	if in == nil {
 		return nil
 	}
-	out := new(RequestData)
+	out := new(Rekor)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RequestInfo) DeepCopyInto(out *RequestInfo) {
+func (in *RequestData) DeepCopyInto(out *RequestData) {
 	*out = *in
-	if in.Roles != nil {
-		in, out := &in.Roles, &out.Roles
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	if in.ClusterRoles != nil {
-		in, out := &in.ClusterRoles, &out.ClusterRoles
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(apiextensionsv1.JSON)
+		(*in).DeepCopyInto(*out)
 	}
-	in.AdmissionUserInfo.DeepCopyInto(&out.AdmissionUserInfo)
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestInfo.
-func (in *RequestInfo) DeepCopy() *RequestInfo {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestData.
+func (in *RequestData) DeepCopy() *RequestData {
 	if in == nil {
 		return nil
 	}
-	out := new(RequestInfo)
+	out := new(RequestData)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -1161,6 +1224,12 @@ func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription) {
 		*out = new(metav1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Operations != nil {
+		in, out := &in.Operations, &out.Operations
+		*out = make([]AdmissionOperation, len(*in))
+		copy(*out, *in)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.
@@ -1178,6 +1247,7 @@ func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter) {
 	*out = *in
 	in.UserInfo.DeepCopyInto(&out.UserInfo)
 	in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.
@@ -1198,6 +1268,7 @@ func (in ResourceFilters) DeepCopyInto(out *ResourceFilters) {
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
+		return
 	}
 }
 
@@ -1214,6 +1285,7 @@ func (in ResourceFilters) DeepCopy() ResourceFilters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceSpec.
@@ -1255,8 +1327,12 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 	}
 	if in.RawAnyAllConditions != nil {
 		in, out := &in.RawAnyAllConditions, &out.RawAnyAllConditions
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
+	}
+	if in.CELPreconditions != nil {
+		in, out := &in.CELPreconditions, &out.CELPreconditions
+		*out = make([]v1alpha1.MatchCondition, len(*in))
+		copy(*out, *in)
 	}
 	in.Mutation.DeepCopyInto(&out.Mutation)
 	in.Validation.DeepCopyInto(&out.Validation)
@@ -1268,6 +1344,7 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
@@ -1283,6 +1360,7 @@ func (in *Rule) DeepCopy() *Rule {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleCountStatus) DeepCopyInto(out *RuleCountStatus) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleCountStatus.
@@ -1298,6 +1376,7 @@ func (in *RuleCountStatus) DeepCopy() *RuleCountStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretReference) DeepCopyInto(out *SecretReference) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretReference.
@@ -1313,13 +1392,7 @@ func (in *SecretReference) DeepCopy() *SecretReference {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceCall) DeepCopyInto(out *ServiceCall) {
 	*out = *in
-	if in.Data != nil {
-		in, out := &in.Data, &out.Data
-		*out = make([]RequestData, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceCall.
@@ -1359,6 +1432,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Admission != nil {
+		in, out := &in.Admission, &out.Admission
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Background != nil {
 		in, out := &in.Background, &out.Background
 		*out = new(bool)
@@ -1374,6 +1452,17 @@ func (in *Spec) DeepCopyInto(out *Spec) {
 		*out = new(int32)
 		**out = **in
 	}
+	if in.GenerateExistingOnPolicyUpdate != nil {
+		in, out := &in.GenerateExistingOnPolicyUpdate, &out.GenerateExistingOnPolicyUpdate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.WebhookConfiguration != nil {
+		in, out := &in.WebhookConfiguration, &out.WebhookConfiguration
+		*out = new(WebhookConfiguration)
+		(*in).DeepCopyInto(*out)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.
@@ -1396,9 +1485,15 @@ func (in *StaticKeyAttestor) DeepCopyInto(out *StaticKeyAttestor) {
 	}
 	if in.Rekor != nil {
 		in, out := &in.Rekor, &out.Rekor
+		*out = new(Rekor)
+		**out = **in
+	}
+	if in.CTLog != nil {
+		in, out := &in.CTLog, &out.CTLog
 		*out = new(CTLog)
 		**out = **in
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticKeyAttestor.
@@ -1411,6 +1506,34 @@ func (in *StaticKeyAttestor) DeepCopy() *StaticKeyAttestor {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *TargetResourceSpec) DeepCopyInto(out *TargetResourceSpec) {
+	*out = *in
+	out.ResourceSpec = in.ResourceSpec
+	if in.Context != nil {
+		in, out := &in.Context, &out.Context
+		*out = make([]ContextEntry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RawAnyAllConditions != nil {
+		in, out := &in.RawAnyAllConditions, &out.RawAnyAllConditions
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetResourceSpec.
+func (in *TargetResourceSpec) DeepCopy() *TargetResourceSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(TargetResourceSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserInfo) DeepCopyInto(out *UserInfo) {
 	*out = *in
@@ -1429,6 +1552,7 @@ func (in *UserInfo) DeepCopyInto(out *UserInfo) {
 		*out = make([]rbacv1.Subject, len(*in))
 		copy(*out, *in)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.
@@ -1441,9 +1565,37 @@ func (in *UserInfo) DeepCopy() *UserInfo {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ValidatingAdmissionPolicyStatus) DeepCopyInto(out *ValidatingAdmissionPolicyStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingAdmissionPolicyStatus.
+func (in *ValidatingAdmissionPolicyStatus) DeepCopy() *ValidatingAdmissionPolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(ValidatingAdmissionPolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Validation) DeepCopyInto(out *Validation) {
 	*out = *in
+	if in.ValidationFailureAction != nil {
+		in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
+		*out = new(ValidationFailureAction)
+		**out = **in
+	}
+	if in.ValidationFailureActionOverrides != nil {
+		in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
+		*out = make([]ValidationFailureActionOverride, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Manifests != nil {
 		in, out := &in.Manifests, &out.Manifests
 		*out = new(Manifests)
@@ -1476,6 +1628,13 @@ func (in *Validation) DeepCopyInto(out *Validation) {
 		*out = new(PodSecurity)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.CEL != nil {
+		in, out := &in.CEL, &out.CEL
+		*out = new(CEL)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Assert.DeepCopyInto(&out.Assert)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.
@@ -1501,6 +1660,7 @@ func (in *ValidationFailureActionOverride) DeepCopyInto(out *ValidationFailureAc
 		*out = new(metav1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationFailureActionOverride.
@@ -1518,14 +1678,13 @@ func (in *Variable) DeepCopyInto(out *Variable) {
 	*out = *in
 	if in.Value != nil {
 		in, out := &in.Value, &out.Value
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
 	if in.Default != nil {
 		in, out := &in.Default, &out.Default
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Variable.
@@ -1539,16 +1698,32 @@ func (in *Variable) DeepCopy() *Variable {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ViolatedRule) DeepCopyInto(out *ViolatedRule) {
+func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration) {
 	*out = *in
+	if in.FailurePolicy != nil {
+		in, out := &in.FailurePolicy, &out.FailurePolicy
+		*out = new(FailurePolicyType)
+		**out = **in
+	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		*out = new(int32)
+		**out = **in
+	}
+	if in.MatchConditions != nil {
+		in, out := &in.MatchConditions, &out.MatchConditions
+		*out = make([]admissionregistrationv1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ViolatedRule.
-func (in *ViolatedRule) DeepCopy() *ViolatedRule {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.
+func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration {
 	if in == nil {
 		return nil
 	}
-	out := new(ViolatedRule)
+	out := new(WebhookConfiguration)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/api/kyverno/v1/zz_generated.defaults.go b/api/kyverno/v1/zz_generated.defaults.go
new file mode 100644
index 000000000000..dac177e93bd0
--- /dev/null
+++ b/api/kyverno/v1/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/kyverno/v1/zz_generated.register.go b/api/kyverno/v1/zz_generated.register.go
new file mode 100644
index 000000000000..4db974e94204
--- /dev/null
+++ b/api/kyverno/v1/zz_generated.register.go
@@ -0,0 +1,69 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "kyverno.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ClusterPolicy{},
+		&ClusterPolicyList{},
+		&Policy{},
+		&PolicyList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/api/kyverno/v1alpha2/admission_report_types.go b/api/kyverno/v1alpha2/admission_report_types.go
deleted file mode 100644
index b743d8784a4e..000000000000
--- a/api/kyverno/v1alpha2/admission_report_types.go
+++ /dev/null
@@ -1,128 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-type AdmissionReportSpec struct {
-	// Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)
-	Owner metav1.OwnerReference `json:"owner"`
-
-	// PolicyReportSummary provides a summary of results
-	// +optional
-	Summary policyreportv1alpha2.PolicyReportSummary `json:"summary,omitempty"`
-
-	// PolicyReportResult provides result details
-	// +optional
-	Results []policyreportv1alpha2.PolicyReportResult `json:"results,omitempty"`
-}
-
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:shortName=admr,categories=kyverno
-// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1
-// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".spec.summary.error"
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".spec.summary.skip"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Hash",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.hash']",priority=1
-// +kubebuilder:printcolumn:name="AGGREGATE",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/report\\.aggregate']",priority=1
-
-// AdmissionReport is the Schema for the AdmissionReports API
-type AdmissionReport struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AdmissionReportSpec `json:"spec"`
-}
-
-func (r *AdmissionReport) GetResults() []policyreportv1alpha2.PolicyReportResult {
-	return r.Spec.Results
-}
-
-func (r *AdmissionReport) SetResults(results []policyreportv1alpha2.PolicyReportResult) {
-	r.Spec.Results = results
-}
-
-func (r *AdmissionReport) SetSummary(summary policyreportv1alpha2.PolicyReportSummary) {
-	r.Spec.Summary = summary
-}
-
-// +genclient
-// +genclient:nonNamespaced
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:scope=Cluster,shortName=cadmr,categories=kyverno
-// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1
-// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".spec.summary.error"
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".spec.summary.skip"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Hash",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.hash']",priority=1
-// +kubebuilder:printcolumn:name="AGGREGATE",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/report\\.aggregate']",priority=1
-
-// ClusterAdmissionReport is the Schema for the ClusterAdmissionReports API
-type ClusterAdmissionReport struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AdmissionReportSpec `json:"spec"`
-}
-
-func (r *ClusterAdmissionReport) GetResults() []policyreportv1alpha2.PolicyReportResult {
-	return r.Spec.Results
-}
-
-func (r *ClusterAdmissionReport) SetResults(results []policyreportv1alpha2.PolicyReportResult) {
-	r.Spec.Results = results
-}
-
-func (r *ClusterAdmissionReport) SetSummary(summary policyreportv1alpha2.PolicyReportSummary) {
-	r.Spec.Summary = summary
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// AdmissionReportList contains a list of AdmissionReport
-type AdmissionReportList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []AdmissionReport `json:"items"`
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// ClusterAdmissionReportList contains a list of ClusterAdmissionReport
-type ClusterAdmissionReportList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterAdmissionReport `json:"items"`
-}
diff --git a/api/kyverno/v1alpha2/background_scan_report_types.go b/api/kyverno/v1alpha2/background_scan_report_types.go
deleted file mode 100644
index 447e5011261e..000000000000
--- a/api/kyverno/v1alpha2/background_scan_report_types.go
+++ /dev/null
@@ -1,123 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-type BackgroundScanReportSpec struct {
-	// PolicyReportSummary provides a summary of results
-	// +optional
-	Summary policyreportv1alpha2.PolicyReportSummary `json:"summary,omitempty"`
-
-	// PolicyReportResult provides result details
-	// +optional
-	Results []policyreportv1alpha2.PolicyReportResult `json:"results,omitempty"`
-}
-
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:shortName=bgscanr,categories=kyverno
-// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1
-// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".spec.summary.error"
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".spec.summary.skip"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Hash",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.hash']",priority=1
-
-// BackgroundScanReport is the Schema for the BackgroundScanReports API
-type BackgroundScanReport struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BackgroundScanReportSpec `json:"spec"`
-}
-
-func (r *BackgroundScanReport) GetResults() []policyreportv1alpha2.PolicyReportResult {
-	return r.Spec.Results
-}
-
-func (r *BackgroundScanReport) SetResults(results []policyreportv1alpha2.PolicyReportResult) {
-	r.Spec.Results = results
-}
-
-func (r *BackgroundScanReport) SetSummary(summary policyreportv1alpha2.PolicyReportSummary) {
-	r.Spec.Summary = summary
-}
-
-// +genclient
-// +genclient:nonNamespaced
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:scope=Cluster,shortName=cbgscanr,categories=kyverno
-// +kubebuilder:printcolumn:name="ApiVersion",type=string,JSONPath=".metadata.ownerReferences[0].apiVersion",priority=1
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.ownerReferences[0].kind",priority=1
-// +kubebuilder:printcolumn:name="Subject",type=string,JSONPath=".metadata.ownerReferences[0].name",priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".spec.summary.error"
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".spec.summary.skip"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Hash",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.hash']",priority=1
-
-// ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports API
-type ClusterBackgroundScanReport struct {
-	metav1.TypeMeta   `json:",inline"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BackgroundScanReportSpec `json:"spec"`
-}
-
-func (r *ClusterBackgroundScanReport) GetResults() []policyreportv1alpha2.PolicyReportResult {
-	return r.Spec.Results
-}
-
-func (r *ClusterBackgroundScanReport) SetResults(results []policyreportv1alpha2.PolicyReportResult) {
-	r.Spec.Results = results
-}
-
-func (r *ClusterBackgroundScanReport) SetSummary(summary policyreportv1alpha2.PolicyReportSummary) {
-	r.Spec.Summary = summary
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// BackgroundScanReportList contains a list of BackgroundScanReport
-type BackgroundScanReportList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []BackgroundScanReport `json:"items"`
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// ClusterBackgroundScanReportList contains a list of ClusterBackgroundScanReport
-type ClusterBackgroundScanReportList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata,omitempty"`
-	Items           []ClusterBackgroundScanReport `json:"items"`
-}
diff --git a/api/kyverno/v1alpha2/doc.go b/api/kyverno/v1alpha2/doc.go
deleted file mode 100644
index 598479fc95c6..000000000000
--- a/api/kyverno/v1alpha2/doc.go
+++ /dev/null
@@ -1,21 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group
-// +k8s:deepcopy-gen=package
-// +kubebuilder:object:generate=true
-// +groupName=kyverno.io
-package v1alpha2
diff --git a/api/kyverno/v1alpha2/interface.go b/api/kyverno/v1alpha2/interface.go
deleted file mode 100644
index 772b217972c4..000000000000
--- a/api/kyverno/v1alpha2/interface.go
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-)
-
-// +kubebuilder:object:generate=false
-
-// ReportInterface abstracts the concrete report change request type
-type ReportInterface interface {
-	metav1.Object
-	GetResults() []policyreportv1alpha2.PolicyReportResult
-	SetResults([]policyreportv1alpha2.PolicyReportResult)
-	SetSummary(policyreportv1alpha2.PolicyReportSummary)
-}
diff --git a/api/kyverno/v1alpha2/register.go b/api/kyverno/v1alpha2/register.go
deleted file mode 100755
index 191299c8ccb4..000000000000
--- a/api/kyverno/v1alpha2/register.go
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group
-// +kubebuilder:object:generate=true
-// +groupName=kyverno.io
-package v1alpha2
-
-import (
-	"github.com/kyverno/kyverno/api/kyverno"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v1alpha2"}
-
-// Kind takes an unqualified kind and returns back a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	// SchemeBuilder builds the scheme
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
-
-	// AddToScheme adds all types of this clientset into the given scheme
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to Scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&AdmissionReport{},
-		&AdmissionReportList{},
-		&BackgroundScanReport{},
-		&BackgroundScanReportList{},
-		&ClusterAdmissionReport{},
-		&ClusterAdmissionReportList{},
-		&ClusterBackgroundScanReport{},
-		&ClusterBackgroundScanReportList{},
-	)
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/api/kyverno/v1alpha2/zz_generated.deepcopy.go b/api/kyverno/v1alpha2/zz_generated.deepcopy.go
deleted file mode 100644
index 668fe7a4cddd..000000000000
--- a/api/kyverno/v1alpha2/zz_generated.deepcopy.go
+++ /dev/null
@@ -1,306 +0,0 @@
-//go:build !ignore_autogenerated
-// +build !ignore_autogenerated
-
-/*
-Copyright The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Code generated by controller-gen. DO NOT EDIT.
-
-package v1alpha2
-
-import (
-	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
-	"k8s.io/apimachinery/pkg/runtime"
-)
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReport) DeepCopyInto(out *AdmissionReport) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReport.
-func (in *AdmissionReport) DeepCopy() *AdmissionReport {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReport)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *AdmissionReport) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReportList) DeepCopyInto(out *AdmissionReportList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]AdmissionReport, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReportList.
-func (in *AdmissionReportList) DeepCopy() *AdmissionReportList {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReportList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *AdmissionReportList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AdmissionReportSpec) DeepCopyInto(out *AdmissionReportSpec) {
-	*out = *in
-	in.Owner.DeepCopyInto(&out.Owner)
-	out.Summary = in.Summary
-	if in.Results != nil {
-		in, out := &in.Results, &out.Results
-		*out = make([]policyreportv1alpha2.PolicyReportResult, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionReportSpec.
-func (in *AdmissionReportSpec) DeepCopy() *AdmissionReportSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(AdmissionReportSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackgroundScanReport) DeepCopyInto(out *BackgroundScanReport) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundScanReport.
-func (in *BackgroundScanReport) DeepCopy() *BackgroundScanReport {
-	if in == nil {
-		return nil
-	}
-	out := new(BackgroundScanReport)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *BackgroundScanReport) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackgroundScanReportList) DeepCopyInto(out *BackgroundScanReportList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]BackgroundScanReport, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundScanReportList.
-func (in *BackgroundScanReportList) DeepCopy() *BackgroundScanReportList {
-	if in == nil {
-		return nil
-	}
-	out := new(BackgroundScanReportList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *BackgroundScanReportList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BackgroundScanReportSpec) DeepCopyInto(out *BackgroundScanReportSpec) {
-	*out = *in
-	out.Summary = in.Summary
-	if in.Results != nil {
-		in, out := &in.Results, &out.Results
-		*out = make([]policyreportv1alpha2.PolicyReportResult, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundScanReportSpec.
-func (in *BackgroundScanReportSpec) DeepCopy() *BackgroundScanReportSpec {
-	if in == nil {
-		return nil
-	}
-	out := new(BackgroundScanReportSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterAdmissionReport) DeepCopyInto(out *ClusterAdmissionReport) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionReport.
-func (in *ClusterAdmissionReport) DeepCopy() *ClusterAdmissionReport {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterAdmissionReport)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterAdmissionReport) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterAdmissionReportList) DeepCopyInto(out *ClusterAdmissionReportList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ClusterAdmissionReport, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterAdmissionReportList.
-func (in *ClusterAdmissionReportList) DeepCopy() *ClusterAdmissionReportList {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterAdmissionReportList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterAdmissionReportList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterBackgroundScanReport) DeepCopyInto(out *ClusterBackgroundScanReport) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterBackgroundScanReport.
-func (in *ClusterBackgroundScanReport) DeepCopy() *ClusterBackgroundScanReport {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterBackgroundScanReport)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterBackgroundScanReport) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterBackgroundScanReportList) DeepCopyInto(out *ClusterBackgroundScanReportList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]ClusterBackgroundScanReport, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterBackgroundScanReportList.
-func (in *ClusterBackgroundScanReportList) DeepCopy() *ClusterBackgroundScanReportList {
-	if in == nil {
-		return nil
-	}
-	out := new(ClusterBackgroundScanReportList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterBackgroundScanReportList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
diff --git a/api/kyverno/v1beta1/constants.go b/api/kyverno/v1beta1/constants.go
index 8b2fb4a8d640..599cf3360b7e 100644
--- a/api/kyverno/v1beta1/constants.go
+++ b/api/kyverno/v1beta1/constants.go
@@ -5,12 +5,13 @@ const (
 	URMutatePolicyLabel            = "mutate.updaterequest.kyverno.io/policy-name"
 	URMutateTriggerNameLabel       = "mutate.updaterequest.kyverno.io/trigger-name"
 	URMutateTriggerNSLabel         = "mutate.updaterequest.kyverno.io/trigger-namespace"
-	URMutatetriggerKindLabel       = "mutate.updaterequest.kyverno.io/trigger-kind"
-	URMutatetriggerAPIVersionLabel = "mutate.updaterequest.kyverno.io/trigger-apiversion"
+	URMutateTriggerKindLabel       = "mutate.updaterequest.kyverno.io/trigger-kind"
+	URMutateTriggerAPIVersionLabel = "mutate.updaterequest.kyverno.io/trigger-apiversion"
 
 	// URGeneratePolicyLabel adds the policy name to URs for generate policies
 	URGeneratePolicyLabel          = "generate.kyverno.io/policy-name"
 	URGenerateResourceNameLabel    = "generate.kyverno.io/resource-name"
+	URGenerateResourceUIDLabel     = "generate.kyverno.io/resource-uid"
 	URGenerateResourceNSLabel      = "generate.kyverno.io/resource-namespace"
 	URGenerateResourceKindLabel    = "generate.kyverno.io/resource-kind"
 	URGenerateRetryCountAnnotation = "generate.kyverno.io/retry-count"
diff --git a/api/kyverno/v1beta1/register.go b/api/kyverno/v1beta1/register.go
deleted file mode 100644
index bf92bc0c7687..000000000000
--- a/api/kyverno/v1beta1/register.go
+++ /dev/null
@@ -1,58 +0,0 @@
-/*
-Copyright 2022.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// Package v1beta1 contains API Schema definitions for the kyverno.io v1beta1 API group
-// +kubebuilder:object:generate=true
-// +groupName=kyverno.io
-package v1beta1
-
-import (
-	"github.com/kyverno/kyverno/api/kyverno"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	runtime "k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v1beta1"}
-
-// Kind takes an unqualified kind and returns back a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	// SchemeBuilder builds the scheme
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
-
-	// AddToScheme adds all types of this clientset into the given scheme
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to Scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&UpdateRequest{},
-		&UpdateRequestList{},
-	)
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/api/kyverno/v1beta1/updaterequest_types.go b/api/kyverno/v1beta1/updaterequest_types.go
index ab83b2c2d7dd..ba40449a840e 100644
--- a/api/kyverno/v1beta1/updaterequest_types.go
+++ b/api/kyverno/v1beta1/updaterequest_types.go
@@ -25,7 +25,7 @@ import (
 
 // UpdateRequestStatus defines the observed state of UpdateRequest
 type UpdateRequestStatus struct {
-	// Handler represents the instance ID that handles the UR
+	// Deprecated
 	Handler string `json:"handler,omitempty" yaml:"handler,omitempty"`
 
 	// State represents state of the update request.
@@ -38,6 +38,8 @@ type UpdateRequestStatus struct {
 	// This will track the resources that are updated by the generate Policy.
 	// Will be used during clean up resources.
 	GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
+
+	RetryCount int `json:"retryCount,omitempty" yaml:"retryCount,omitempty"`
 }
 
 // +genclient
@@ -45,6 +47,7 @@ type UpdateRequestStatus struct {
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy"
+// +kubebuilder:printcolumn:name="Rule",type="string",JSONPath=".spec.rule"
 // +kubebuilder:printcolumn:name="RuleType",type="string",JSONPath=".spec.requestType"
 // +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind"
 // +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name"
@@ -52,13 +55,14 @@ type UpdateRequestStatus struct {
 // +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:shortName=ur,categories=kyverno
+// +kubebuilder:deprecatedversion
 
 // UpdateRequest is a request to process mutate and generate rules in background.
 type UpdateRequest struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	// Spec is the information to identify the update request.
+	// ResourceSpec is the information to identify the trigger resource.
 	Spec UpdateRequestSpec `json:"spec,omitempty"`
 
 	// Status contains statistics related to update request.
@@ -82,7 +86,17 @@ type UpdateRequestSpec struct {
 	// Specifies the name of the policy.
 	Policy string `json:"policy" yaml:"policy"`
 
-	// ResourceSpec is the information to identify the update request.
+	// Rule is the associate rule name of the current UR.
+	Rule string `json:"rule" yaml:"rule"`
+
+	// DeleteDownstream represents whether the downstream needs to be deleted.
+	DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
+
+	// Synchronize represents the sync behavior of the corresponding rule
+	// Optional. Defaults to "false" if not specified.
+	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
+
+	// ResourceSpec is the information to identify the trigger resource.
 	Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"`
 
 	// Context ...
@@ -102,12 +116,12 @@ type RequestInfo struct {
 	// Roles is a list of possible role send the request.
 	// +nullable
 	// +optional
-	Roles []string `json:"roles" yaml:"roles"`
+	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
 
 	// ClusterRoles is a list of possible clusterRoles send the request.
 	// +nullable
 	// +optional
-	ClusterRoles []string `json:"clusterRoles" yaml:"clusterRoles"`
+	ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
 
 	// UserInfo is the userInfo carried in the admission request.
 	// +optional
@@ -139,7 +153,8 @@ const (
 	Skip UpdateRequestState = "Skip"
 )
 
-//+kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
 
 // UpdateRequestList contains a list of UpdateRequest
 type UpdateRequestList struct {
@@ -151,3 +166,19 @@ type UpdateRequestList struct {
 func (s *UpdateRequestSpec) GetRequestType() RequestType {
 	return s.Type
 }
+
+func (s *UpdateRequestSpec) GetPolicyKey() string {
+	return s.Policy
+}
+
+func (s *UpdateRequestSpec) GetRuleName() string {
+	return s.Rule
+}
+
+func (s *UpdateRequestSpec) GetSynchronize() bool {
+	return s.Synchronize
+}
+
+func (s *UpdateRequestSpec) GetResource() kyvernov1.ResourceSpec {
+	return s.Resource
+}
diff --git a/api/kyverno/v1beta1/zz_generated.deepcopy.go b/api/kyverno/v1beta1/zz_generated.deepcopy.go
index ed4f1b2fd291..faf076fa45ad 100644
--- a/api/kyverno/v1beta1/zz_generated.deepcopy.go
+++ b/api/kyverno/v1beta1/zz_generated.deepcopy.go
@@ -17,14 +17,14 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by controller-gen. DO NOT EDIT.
+// Code generated by deepcopy-gen. DO NOT EDIT.
 
 package v1beta1
 
 import (
-	v1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	admissionv1 "k8s.io/api/admission/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	v1 "k8s.io/api/admission/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -32,9 +32,10 @@ func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObje
 	*out = *in
 	if in.AdmissionRequest != nil {
 		in, out := &in.AdmissionRequest, &out.AdmissionRequest
-		*out = new(admissionv1.AdmissionRequest)
+		*out = new(v1.AdmissionRequest)
 		(*in).DeepCopyInto(*out)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.
@@ -61,6 +62,7 @@ func (in *RequestInfo) DeepCopyInto(out *RequestInfo) {
 		copy(*out, *in)
 	}
 	in.AdmissionUserInfo.DeepCopyInto(&out.AdmissionUserInfo)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestInfo.
@@ -80,6 +82,7 @@ func (in *UpdateRequest) DeepCopyInto(out *UpdateRequest) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequest.
@@ -112,6 +115,7 @@ func (in *UpdateRequestList) DeepCopyInto(out *UpdateRequestList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestList.
@@ -137,6 +141,7 @@ func (in *UpdateRequestSpec) DeepCopyInto(out *UpdateRequestSpec) {
 	*out = *in
 	out.Resource = in.Resource
 	in.Context.DeepCopyInto(&out.Context)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpec.
@@ -154,6 +159,7 @@ func (in *UpdateRequestSpecContext) DeepCopyInto(out *UpdateRequestSpecContext)
 	*out = *in
 	in.UserRequestInfo.DeepCopyInto(&out.UserRequestInfo)
 	in.AdmissionRequestInfo.DeepCopyInto(&out.AdmissionRequestInfo)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpecContext.
@@ -171,9 +177,10 @@ func (in *UpdateRequestStatus) DeepCopyInto(out *UpdateRequestStatus) {
 	*out = *in
 	if in.GeneratedResources != nil {
 		in, out := &in.GeneratedResources, &out.GeneratedResources
-		*out = make([]v1.ResourceSpec, len(*in))
+		*out = make([]kyvernov1.ResourceSpec, len(*in))
 		copy(*out, *in)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestStatus.
diff --git a/api/kyverno/v1beta1/zz_generated.defaults.go b/api/kyverno/v1beta1/zz_generated.defaults.go
new file mode 100644
index 000000000000..198b5be4af53
--- /dev/null
+++ b/api/kyverno/v1beta1/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/kyverno/v1beta1/zz_generated.register.go b/api/kyverno/v1beta1/zz_generated.register.go
new file mode 100644
index 000000000000..d0d5cfefe9dd
--- /dev/null
+++ b/api/kyverno/v1beta1/zz_generated.register.go
@@ -0,0 +1,67 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v1beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "kyverno.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&UpdateRequest{},
+		&UpdateRequestList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/api/kyverno/v2/cleanup_policy_interface.go b/api/kyverno/v2/cleanup_policy_interface.go
new file mode 100644
index 000000000000..71a0b82db764
--- /dev/null
+++ b/api/kyverno/v2/cleanup_policy_interface.go
@@ -0,0 +1,23 @@
+package v2
+
+import (
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// CleanupPolicyInterface abstracts the concrete policy type (CleanupPolicy vs ClusterCleanupPolicy)
+// +kubebuilder:object:generate=false
+type CleanupPolicyInterface interface {
+	metav1.Object
+	IsNamespaced() bool
+	GetSpec() *CleanupPolicySpec
+	GetStatus() *CleanupPolicyStatus
+	GetExecutionTime() (*time.Time, error)
+	GetNextExecutionTime(time.Time) (*time.Time, error)
+	Validate(sets.Set[string]) field.ErrorList
+	GetKind() string
+	GetAPIVersion() string
+}
diff --git a/api/kyverno/v2/cleanup_policy_test.go b/api/kyverno/v2/cleanup_policy_test.go
new file mode 100644
index 000000000000..f9d03560f0f5
--- /dev/null
+++ b/api/kyverno/v2/cleanup_policy_test.go
@@ -0,0 +1,712 @@
+package v2
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"gotest.tools/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_CleanupPolicy_Name(t *testing.T) {
+	subject := CleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "* * * * *",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "metadata.name")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_CleanupPolicy_Schedule(t *testing.T) {
+	subject := CleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-policy",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "schedule-not-in-proper-cron-format",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "spec.schedule")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_ClusterCleanupPolicy_Name(t *testing.T) {
+	subject := ClusterCleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "* * * * *",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "metadata.name")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {
+	subject := ClusterCleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-policy",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "schedule-not-in-proper-cron-format",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "spec.schedule")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_doesMatchExcludeConflict_cleanupPolicy(t *testing.T) {
+	path := field.NewPath("dummy")
+	testcases := []struct {
+		description string
+		policySpec  []byte
+		errors      func(r *CleanupPolicySpec) field.ErrorList
+	}{
+		{
+			description: "Same match and exclude",
+			policySpec: []byte(`
+{
+    "match": {
+		"any": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"any": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+			errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
+				return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
+			},
+		},
+		{
+			description: "Failed to exclude kind",
+			policySpec: []byte(`
+{
+	"match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+	},
+	"exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+	},
+	"schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude name",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something-*",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude namespace",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something3",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude labels",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "higha"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude expression",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"databases"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude subjects",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude clusterroles",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude roles",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "empty case",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"selector": {
+					"matchLabels": {
+						"allow-deletes": "false"
+					}
+				}
+			}
+		}]
+    },
+    "exclude": {},
+    "schedule": "* * * * *"
+}`),
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.description, func(t *testing.T) {
+			var policySpec CleanupPolicySpec
+			err := json.Unmarshal(testcase.policySpec, &policySpec)
+			assert.NilError(t, err)
+			errs := policySpec.ValidateMatchExcludeConflict(path)
+			var expectedErrs field.ErrorList
+			if testcase.errors != nil {
+				expectedErrs = testcase.errors(&policySpec)
+			}
+			assert.Equal(t, len(errs), len(expectedErrs))
+			for i := range errs {
+				fmt.Println(i)
+				assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
+			}
+		})
+	}
+}
diff --git a/api/kyverno/v2/cleanup_policy_types.go b/api/kyverno/v2/cleanup_policy_types.go
new file mode 100644
index 000000000000..cf74cc5847b0
--- /dev/null
+++ b/api/kyverno/v2/cleanup_policy_types.go
@@ -0,0 +1,295 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	"time"
+
+	"github.com/aptible/supercronic/cronexpr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	datautils "github.com/kyverno/kyverno/pkg/utils/data"
+	"github.com/robfig/cron"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=cleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:storageversion
+
+// CleanupPolicy defines a rule for resource cleanup.
+type CleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec {
+	return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus {
+	return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error) {
+	lastExecutionTime := p.Status.LastExecutionTime.Time
+	if lastExecutionTime.IsZero() {
+		creationTime := p.GetCreationTimestamp().Time
+		return p.GetNextExecutionTime(creationTime)
+	} else {
+		return p.GetNextExecutionTime(lastExecutionTime)
+	}
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+	cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+	if err != nil {
+		return nil, err
+	}
+	nextExecutionTime := cronExpr.Next(time)
+	return &nextExecutionTime, nil
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, true)...)
+	return errs
+}
+
+// GetKind returns the resource kind
+func (p *CleanupPolicy) GetKind() string {
+	return "CleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *CleanupPolicy) GetAPIVersion() string {
+	return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *CleanupPolicy) IsNamespaced() bool {
+	return true
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CleanupPolicyList is a list of ClusterPolicy instances.
+type CleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CleanupPolicy `json:"items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName=ccleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:storageversion
+
+// ClusterCleanupPolicy defines rule for resource cleanup.
+type ClusterCleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec {
+	return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus {
+	return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error) {
+	lastExecutionTime := p.Status.LastExecutionTime.Time
+	if lastExecutionTime.IsZero() {
+		creationTime := p.GetCreationTimestamp().Time
+		return p.GetNextExecutionTime(creationTime)
+	} else {
+		return p.GetNextExecutionTime(lastExecutionTime)
+	}
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+	cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+	if err != nil {
+		return nil, err
+	}
+	nextExecutionTime := cronExpr.Next(time)
+	return &nextExecutionTime, nil
+}
+
+// GetKind returns the resource kind
+func (p *ClusterCleanupPolicy) GetKind() string {
+	return "ClusterCleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *ClusterCleanupPolicy) GetAPIVersion() string {
+	return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *ClusterCleanupPolicy) IsNamespaced() bool {
+	return false
+}
+
+// Validate implements programmatic validation
+func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, false)...)
+	return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
+type ClusterCleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ClusterCleanupPolicy `json:"items"`
+}
+
+// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+// and schedule when the matching resources needs deleted.
+type CleanupPolicySpec struct {
+	// Context defines variables and data sources that can be used during rule execution.
+	// +optional
+	Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
+
+	// MatchResources defines when cleanuppolicy should be applied. The match
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the user name or role.
+	// At least one kind is required.
+	MatchResources MatchResources `json:"match,omitempty"`
+
+	// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the name or role.
+	// +optional
+	ExcludeResources *MatchResources `json:"exclude,omitempty"`
+
+	// The schedule in Cron format
+	Schedule string `json:"schedule"`
+
+	// Conditions defines the conditions used to select the resources which will be cleaned up.
+	// +optional
+	Conditions *AnyAllConditions `json:"conditions,omitempty"`
+}
+
+// CleanupPolicyStatus stores the status of the policy.
+type CleanupPolicyStatus struct {
+	Conditions        []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+	LastExecutionTime metav1.Time        `json:"lastExecutionTime,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
+	// Write context validation code here by following other validations.
+	errs = append(errs, ValidateContext(path.Child("context"), p.Context)...)
+	errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
+	if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
+		errs = append(errs, userInfoErrs...)
+	} else {
+		errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
+	}
+	if p.ExcludeResources != nil {
+		if userInfoErrs := p.ExcludeResources.ValidateNoUserInfo(path.Child("exclude")); len(userInfoErrs) != 0 {
+			errs = append(errs, userInfoErrs...)
+		} else {
+			errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
+		}
+	}
+	errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
+	return errs
+}
+
+func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) {
+	for _, entry := range context {
+		if entry.ImageRegistry != nil {
+			errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy"))
+		} else if entry.ConfigMap != nil {
+			errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy"))
+		}
+	}
+	return errs
+}
+
+// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
+func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
+	if _, err := cron.ParseStandard(schedule); err != nil {
+		errs = append(errs, field.Invalid(path, schedule, "schedule spec in the cleanupPolicy is not in proper cron format"))
+	}
+	return errs
+}
+
+// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
+func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) {
+	if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
+		return errs
+	}
+	// if both have any then no resource should be common
+	if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 {
+		for _, rmr := range spec.MatchResources.Any {
+			for _, rer := range spec.ExcludeResources.Any {
+				if datautils.DeepEqual(rmr, rer) {
+					return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+				}
+			}
+		}
+		return errs
+	}
+	if datautils.DeepEqual(spec.ExcludeResources, &MatchResources{}) {
+		return errs
+	}
+	return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+}
diff --git a/api/kyverno/v2/condition.go b/api/kyverno/v2/condition.go
new file mode 100644
index 000000000000..acb5c143da44
--- /dev/null
+++ b/api/kyverno/v2/condition.go
@@ -0,0 +1,95 @@
+package v2
+
+import (
+	"github.com/kyverno/kyverno/api/kyverno"
+)
+
+// ConditionOperator is the operation performed on condition key and value.
+// +kubebuilder:validation:Enum=Equals;NotEquals;AnyIn;AllIn;AnyNotIn;AllNotIn;GreaterThanOrEquals;GreaterThan;LessThanOrEquals;LessThan;DurationGreaterThanOrEquals;DurationGreaterThan;DurationLessThanOrEquals;DurationLessThan
+type ConditionOperator string
+
+// ConditionOperators stores all the valid ConditionOperator types as key-value pairs.
+// "Equals" evaluates if the key is equal to the value.
+// "NotEquals" evaluates if the key is not equal to the value.
+// "AnyIn" evaluates if any of the keys are contained in the set of values.
+// "AllIn" evaluates if all the keys are contained in the set of values.
+// "AnyNotIn" evaluates if any of the keys are not contained in the set of values.
+// "AllNotIn" evaluates if all the keys are not contained in the set of values.
+// "GreaterThanOrEquals" evaluates if the key (numeric) is greater than or equal to the value (numeric).
+// "GreaterThan" evaluates if the key (numeric) is greater than the value (numeric).
+// "LessThanOrEquals" evaluates if the key (numeric) is less than or equal to the value (numeric).
+// "LessThan" evaluates if the key (numeric) is less than the value (numeric).
+// "DurationGreaterThanOrEquals" evaluates if the key (duration) is greater than or equal to the value (duration)
+// "DurationGreaterThan" evaluates if the key (duration) is greater than the value (duration)
+// "DurationLessThanOrEquals" evaluates if the key (duration) is less than or equal to the value (duration)
+// "DurationLessThan" evaluates if the key (duration) is greater than the value (duration)
+var ConditionOperators = map[string]ConditionOperator{
+	"Equals":                      ConditionOperator("Equals"),
+	"NotEquals":                   ConditionOperator("NotEquals"),
+	"AnyIn":                       ConditionOperator("AnyIn"),
+	"AllIn":                       ConditionOperator("AllIn"),
+	"AnyNotIn":                    ConditionOperator("AnyNotIn"),
+	"AllNotIn":                    ConditionOperator("AllNotIn"),
+	"GreaterThanOrEquals":         ConditionOperator("GreaterThanOrEquals"),
+	"GreaterThan":                 ConditionOperator("GreaterThan"),
+	"LessThanOrEquals":            ConditionOperator("LessThanOrEquals"),
+	"LessThan":                    ConditionOperator("LessThan"),
+	"DurationGreaterThanOrEquals": ConditionOperator("DurationGreaterThanOrEquals"),
+	"DurationGreaterThan":         ConditionOperator("DurationGreaterThan"),
+	"DurationLessThanOrEquals":    ConditionOperator("DurationLessThanOrEquals"),
+	"DurationLessThan":            ConditionOperator("DurationLessThan"),
+}
+
+type Condition struct {
+	// Key is the context entry (using JMESPath) for conditional rule evaluation.
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawKey *kyverno.Any `json:"key,omitempty" yaml:"key,omitempty"`
+
+	// Operator is the conditional operation to perform. Valid operators are:
+	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+	// GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+	// DurationLessThanOrEquals, DurationLessThan
+	Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"`
+
+	// Value is the conditional value, or set of values. The values can be fixed set
+	// or can be variables declared using JMESPath.
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawValue *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"`
+
+	// Message is an optional display message
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
+}
+
+func (c *Condition) GetKey() any {
+	return kyverno.FromAny(c.RawKey)
+}
+
+func (c *Condition) SetKey(in any) {
+	c.RawKey = kyverno.ToAny(in)
+}
+
+func (c *Condition) GetValue() any {
+	return kyverno.FromAny(c.RawValue)
+}
+
+func (c *Condition) SetValue(in any) {
+	c.RawValue = kyverno.ToAny(in)
+}
+
+type AnyAllConditions struct {
+	// AnyConditions enable variable-based conditional rule execution. This is useful for
+	// finer control of when an rule is applied. A condition can reference object data
+	// using JMESPath notation.
+	// Here, at least one of the conditions need to pass.
+	// +optional
+	AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"`
+
+	// AllConditions enable variable-based conditional rule execution. This is useful for
+	// finer control of when an rule is applied. A condition can reference object data
+	// using JMESPath notation.
+	// Here, all of the conditions need to pass.
+	// +optional
+	AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"`
+}
diff --git a/api/kyverno/v2/condition_test.go b/api/kyverno/v2/condition_test.go
new file mode 100644
index 000000000000..aef703e30362
--- /dev/null
+++ b/api/kyverno/v2/condition_test.go
@@ -0,0 +1,53 @@
+package v2
+
+import (
+	"testing"
+
+	"github.com/kyverno/kyverno/api/kyverno"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/json"
+)
+
+func TestCondition_Marshal(t *testing.T) {
+	type fields struct {
+		RawKey   *kyverno.Any
+		Operator ConditionOperator
+		RawValue *kyverno.Any
+		Message  string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   string
+	}{
+		{
+			name: "empty",
+			want: "{}",
+		}, {
+			name: "with key",
+			fields: fields{
+				RawKey: &kyverno.Any{
+					Value: "{{ request.object.name }}",
+				},
+				Operator: ConditionOperators["Equals"],
+				RawValue: &kyverno.Any{
+					Value: "dummy",
+				},
+			},
+			want: `{"key":"{{ request.object.name }}","operator":"Equals","value":"dummy"}`,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Condition{
+				RawKey:   tt.fields.RawKey,
+				Operator: tt.fields.Operator,
+				RawValue: tt.fields.RawValue,
+				Message:  tt.fields.Message,
+			}
+			got, err := json.Marshal(c)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.want, string(got))
+		})
+	}
+}
diff --git a/api/kyverno/v2/constants.go b/api/kyverno/v2/constants.go
new file mode 100644
index 000000000000..d10de6903c6a
--- /dev/null
+++ b/api/kyverno/v2/constants.go
@@ -0,0 +1,14 @@
+package v2
+
+const (
+	// URMutatePolicyLabel adds the policy name to URs for mutate policies
+	URMutatePolicyLabel            = "mutate.updaterequest.kyverno.io/policy-name"
+	URMutateTriggerNameLabel       = "mutate.updaterequest.kyverno.io/trigger-name"
+	URMutateTriggerNSLabel         = "mutate.updaterequest.kyverno.io/trigger-namespace"
+	URMutateTriggerKindLabel       = "mutate.updaterequest.kyverno.io/trigger-kind"
+	URMutateTriggerAPIVersionLabel = "mutate.updaterequest.kyverno.io/trigger-apiversion"
+
+	// URGeneratePolicyLabel adds the policy name to URs for generate policies
+	URGeneratePolicyLabel          = "generate.kyverno.io/policy-name"
+	URGenerateRetryCountAnnotation = "generate.kyverno.io/retry-count"
+)
diff --git a/api/kyverno/v2/doc.go b/api/kyverno/v2/doc.go
new file mode 100644
index 000000000000..fb17986d8c4c
--- /dev/null
+++ b/api/kyverno/v2/doc.go
@@ -0,0 +1,20 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:deepcopy-gen=package
+// +kubebuilder:object:generate=true
+// +groupName=kyverno.io
+package v2
diff --git a/api/kyverno/v2/match_resources_test.go b/api/kyverno/v2/match_resources_test.go
new file mode 100644
index 000000000000..a789d8f0a5d2
--- /dev/null
+++ b/api/kyverno/v2/match_resources_test.go
@@ -0,0 +1,68 @@
+package v2
+
+import (
+	"testing"
+
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"gotest.tools/assert"
+	rbacv1 "k8s.io/api/rbac/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_MatchResources(t *testing.T) {
+	testCases := []struct {
+		name       string
+		namespaced bool
+		subject    MatchResources
+		errors     []string
+	}{{
+		name:       "valid",
+		namespaced: true,
+		subject: MatchResources{
+			Any: kyvernov1.ResourceFilters{{
+				UserInfo: kyvernov1.UserInfo{
+					Subjects: []rbacv1.Subject{{
+						Kind:      "ServiceAccount",
+						Namespace: "ns",
+						Name:      "sa-1",
+					}},
+				},
+			}},
+		},
+	}, {
+		name:       "any-all",
+		namespaced: true,
+		subject: MatchResources{
+			Any: kyvernov1.ResourceFilters{{
+				UserInfo: kyvernov1.UserInfo{
+					Subjects: []rbacv1.Subject{{
+						Kind:      "ServiceAccount",
+						Namespace: "ns",
+						Name:      "sa-1",
+					}},
+				},
+			}},
+			All: kyvernov1.ResourceFilters{{
+				UserInfo: kyvernov1.UserInfo{
+					Subjects: []rbacv1.Subject{{
+						Kind:      "ServiceAccount",
+						Namespace: "ns",
+						Name:      "sa-1",
+					}},
+				},
+			}},
+		},
+		errors: []string{
+			`dummy: Invalid value: v2beta1.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}}: Can't specify any and all together`,
+		},
+	}}
+
+	path := field.NewPath("dummy")
+	for _, testCase := range testCases {
+		errs := testCase.subject.Validate(path, testCase.namespaced, nil)
+		assert.Equal(t, len(errs), len(testCase.errors))
+		for i, err := range errs {
+			assert.Equal(t, err.Error(), testCase.errors[i])
+		}
+	}
+}
diff --git a/api/kyverno/v2/match_resources_types.go b/api/kyverno/v2/match_resources_types.go
new file mode 100644
index 000000000000..18fb8b66527a
--- /dev/null
+++ b/api/kyverno/v2/match_resources_types.go
@@ -0,0 +1,7 @@
+package v2
+
+import (
+	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+)
+
+type MatchResources = kyvernov2beta1.MatchResources
diff --git a/api/kyverno/v2/policy_exception_types.go b/api/kyverno/v2/policy_exception_types.go
new file mode 100644
index 000000000000..97e4478fe299
--- /dev/null
+++ b/api/kyverno/v2/policy_exception_types.go
@@ -0,0 +1,161 @@
+/*
+Copyright 2022 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package v2
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	"github.com/kyverno/kyverno/ext/wildcard"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=polex,categories=kyverno
+// +kubebuilder:storageversion
+
+// PolicyException declares resources to be excluded from specified policies.
+type PolicyException struct {
+	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	// Spec declares policy exception behaviors.
+	Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
+}
+
+// Validate implements programmatic validation
+func (p *PolicyException) Validate() (errs field.ErrorList) {
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
+	return errs
+}
+
+// Contains returns true if it contains an exception for the given policy/rule pair
+func (p *PolicyException) Contains(policy string, rule string) bool {
+	return p.Spec.Contains(policy, rule)
+}
+
+func (p *PolicyException) GetKind() string {
+	return "PolicyException"
+}
+
+// HasPodSecurity checks if podSecurity controls is specified
+func (p *PolicyException) HasPodSecurity() bool {
+	return len(p.Spec.PodSecurity) > 0
+}
+
+// PolicyExceptionSpec stores policy exception spec
+type PolicyExceptionSpec struct {
+	// Background controls if exceptions are applied to existing policies during a background scan.
+	// Optional. Default value is "true". The value must be set to "false" if the policy rule
+	// uses variables that are only available in the admission review request (e.g. user name).
+	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
+
+	// Match defines match clause used to check if a resource applies to the exception
+	Match kyvernov2beta1.MatchResources `json:"match" yaml:"match"`
+
+	// Conditions are used to determine if a resource applies to the exception by evaluating a
+	// set of conditions. The declaration can contain nested `any` or `all` statements.
+	// +optional
+	Conditions *AnyAllConditions `json:"conditions,omitempty"`
+
+	// Exceptions is a list policy/rules to be excluded
+	Exceptions []Exception `json:"exceptions" yaml:"exceptions"`
+
+	// PodSecurity specifies the Pod Security Standard controls to be excluded.
+	// Applicable only to policies that have validate.podSecurity subrule.
+	// +optional
+	PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
+}
+
+func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool {
+	if p.Background == nil {
+		return true
+	}
+	return *p.Background
+}
+
+// Validate implements programmatic validation
+func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
+	if p.BackgroundProcessingEnabled() {
+		if userErrs := p.Match.ValidateNoUserInfo(path.Child("match")); len(userErrs) > 0 {
+			errs = append(errs, userErrs...)
+		}
+	}
+	errs = append(errs, p.Match.Validate(path.Child("match"), false, nil)...)
+	exceptionsPath := path.Child("exceptions")
+	for i, e := range p.Exceptions {
+		errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
+	}
+
+	podSecuityPath := path.Child("podSecurity")
+	for i, p := range p.PodSecurity {
+		errs = append(errs, p.Validate(podSecuityPath.Index(i))...)
+	}
+	return errs
+}
+
+// Contains returns true if it contains an exception for the given policy/rule pair
+func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool {
+	for _, exception := range p.Exceptions {
+		if exception.Contains(policy, rule) {
+			return true
+		}
+	}
+	return false
+}
+
+// Exception stores infos about a policy and rules
+type Exception struct {
+	// PolicyName identifies the policy to which the exception is applied.
+	// The policy name uses the format / unless it
+	// references a ClusterPolicy.
+	PolicyName string `json:"policyName" yaml:"policyName"`
+
+	// RuleNames identifies the rules to which the exception is applied.
+	RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
+}
+
+// Validate implements programmatic validation
+func (p *Exception) Validate(path *field.Path) (errs field.ErrorList) {
+	if p.PolicyName == "" {
+		errs = append(errs, field.Required(path.Child("policyName"), "An exception requires a policy name"))
+	}
+	return errs
+}
+
+// Contains returns true if it contains an exception for the given policy/rule pair
+func (p *Exception) Contains(policy string, rule string) bool {
+	if p.PolicyName == policy {
+		for _, ruleName := range p.RuleNames {
+			if wildcard.Match(ruleName, rule) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PolicyExceptionList is a list of Policy Exceptions
+type PolicyExceptionList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []PolicyException `json:"items" yaml:"items"`
+}
diff --git a/api/kyverno/v2/updaterequest_types.go b/api/kyverno/v2/updaterequest_types.go
new file mode 100644
index 000000000000..99b8d7fb3714
--- /dev/null
+++ b/api/kyverno/v2/updaterequest_types.go
@@ -0,0 +1,202 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	admissionv1 "k8s.io/api/admission/v1"
+	authenticationv1 "k8s.io/api/authentication/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// UpdateRequestStatus defines the observed state of UpdateRequest
+type UpdateRequestStatus struct {
+	// State represents state of the update request.
+	State UpdateRequestState `json:"state" yaml:"state"`
+
+	// Specifies request status message.
+	// +optional
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
+
+	// This will track the resources that are updated by the generate Policy.
+	// Will be used during clean up resources.
+	GeneratedResources []kyvernov1.ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"`
+
+	RetryCount int `json:"retryCount,omitempty" yaml:"retryCount,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy"
+// +kubebuilder:printcolumn:name="RuleType",type="string",JSONPath=".spec.requestType"
+// +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind"
+// +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name"
+// +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace"
+// +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:resource:shortName=ur,categories=kyverno
+// +kubebuilder:storageversion
+
+// UpdateRequest is a request to process mutate and generate rules in background.
+type UpdateRequest struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// ResourceSpec is the information to identify the trigger resource.
+	Spec UpdateRequestSpec `json:"spec,omitempty"`
+
+	// Status contains statistics related to update request.
+	// +optional
+	Status UpdateRequestStatus `json:"status,omitempty"`
+}
+
+type RequestType string
+
+const (
+	Mutate   RequestType = "mutate"
+	Generate RequestType = "generate"
+)
+
+// UpdateRequestSpec stores the request specification.
+type UpdateRequestSpec struct {
+	// Type represents request type for background processing
+	// +kubebuilder:validation:Enum=mutate;generate
+	Type RequestType `json:"requestType,omitempty" yaml:"requestType,omitempty"`
+
+	// Specifies the name of the policy.
+	Policy string `json:"policy" yaml:"policy"`
+
+	// RuleContext is the associate context to apply rules.
+	// optional
+	RuleContext []RuleContext `json:"ruleContext,omitempty" yaml:"ruleContext,omitempty"`
+
+	// Rule is the associate rule name of the current UR.
+	Rule string `json:"rule" yaml:"rule"`
+
+	// DeleteDownstream represents whether the downstream needs to be deleted.
+	// Deprecated
+	DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
+
+	// Synchronize represents the sync behavior of the corresponding rule
+	// Optional. Defaults to "false" if not specified.
+	// Deprecated, will be removed in 1.14.
+	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
+
+	// ResourceSpec is the information to identify the trigger resource.
+	Resource kyvernov1.ResourceSpec `json:"resource" yaml:"resource"`
+
+	// Context represents admission request context.
+	// It is used upon admission review only and is shared across rules within the same UR.
+	Context UpdateRequestSpecContext `json:"context" yaml:"context"`
+}
+
+type RuleContext struct {
+	// Rule is the associate rule name of the current UR.
+	Rule string `json:"rule" yaml:"rule"`
+
+	// DeleteDownstream represents whether the downstream needs to be deleted.
+	DeleteDownstream bool `json:"deleteDownstream" yaml:"deleteDownstream"`
+
+	// Synchronize represents the sync behavior of the corresponding rule
+	// Optional. Defaults to "false" if not specified.
+	Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"`
+
+	// ResourceSpec is the information to identify the trigger resource.
+	Trigger kyvernov1.ResourceSpec `json:"trigger" yaml:"resource"`
+}
+
+// UpdateRequestSpecContext stores the context to be shared.
+type UpdateRequestSpecContext struct {
+	// +optional
+	UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"`
+	// +optional
+	AdmissionRequestInfo AdmissionRequestInfoObject `json:"admissionRequestInfo,omitempty" yaml:"admissionRequestInfo,omitempty"`
+}
+
+// RequestInfo contains permission info carried in an admission request.
+type RequestInfo struct {
+	// Roles is a list of possible role send the request.
+	// +nullable
+	// +optional
+	Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"`
+
+	// ClusterRoles is a list of possible clusterRoles send the request.
+	// +nullable
+	// +optional
+	ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"`
+
+	// UserInfo is the userInfo carried in the admission request.
+	// +optional
+	AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"`
+}
+
+// AdmissionRequestInfoObject stores the admission request and operation details
+type AdmissionRequestInfoObject struct {
+	// +optional
+	AdmissionRequest *admissionv1.AdmissionRequest `json:"admissionRequest,omitempty" yaml:"admissionRequest,omitempty"`
+	// +optional
+	Operation admissionv1.Operation `json:"operation,omitempty" yaml:"operation,omitempty"`
+}
+
+// UpdateRequestState defines the state of request.
+type UpdateRequestState string
+
+const (
+	// Pending - the Request is yet to be processed or resource has not been created.
+	Pending UpdateRequestState = "Pending"
+
+	// Failed - the Update Request Controller failed to process the rules.
+	Failed UpdateRequestState = "Failed"
+
+	// Completed - the Update Request Controller created resources defined in the policy.
+	Completed UpdateRequestState = "Completed"
+
+	// Skip - the Update Request Controller skips to generate the resource.
+	Skip UpdateRequestState = "Skip"
+)
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+
+// UpdateRequestList contains a list of UpdateRequest
+type UpdateRequestList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []UpdateRequest `json:"items"`
+}
+
+func (s *UpdateRequestSpec) GetRequestType() RequestType {
+	return s.Type
+}
+
+func (s *UpdateRequestSpec) GetPolicyKey() string {
+	return s.Policy
+}
+
+func (s *UpdateRequestSpec) GetRuleName() string {
+	return s.Rule
+}
+
+func (s *UpdateRequestSpec) GetSynchronize() bool {
+	return s.Synchronize
+}
+
+func (s *UpdateRequestSpec) GetResource() kyvernov1.ResourceSpec {
+	return s.Resource
+}
diff --git a/api/kyverno/v2/zz_generated.deepcopy.go b/api/kyverno/v2/zz_generated.deepcopy.go
new file mode 100644
index 000000000000..afa073fb3f5c
--- /dev/null
+++ b/api/kyverno/v2/zz_generated.deepcopy.go
@@ -0,0 +1,574 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	v2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
+	v1 "k8s.io/api/admission/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AdmissionRequestInfoObject) DeepCopyInto(out *AdmissionRequestInfoObject) {
+	*out = *in
+	if in.AdmissionRequest != nil {
+		in, out := &in.AdmissionRequest, &out.AdmissionRequest
+		*out = new(v1.AdmissionRequest)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionRequestInfoObject.
+func (in *AdmissionRequestInfoObject) DeepCopy() *AdmissionRequestInfoObject {
+	if in == nil {
+		return nil
+	}
+	out := new(AdmissionRequestInfoObject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) {
+	*out = *in
+	if in.AnyConditions != nil {
+		in, out := &in.AnyConditions, &out.AnyConditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AllConditions != nil {
+		in, out := &in.AllConditions, &out.AllConditions
+		*out = make([]Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
+func (in *AnyAllConditions) DeepCopy() *AnyAllConditions {
+	if in == nil {
+		return nil
+	}
+	out := new(AnyAllConditions)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.
+func (in *CleanupPolicy) DeepCopy() *CleanupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CleanupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.
+func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
+	*out = *in
+	if in.Context != nil {
+		in, out := &in.Context, &out.Context
+		*out = make([]kyvernov1.ContextEntry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.MatchResources.DeepCopyInto(&out.MatchResources)
+	if in.ExcludeResources != nil {
+		in, out := &in.ExcludeResources, &out.ExcludeResources
+		*out = new(v2beta1.MatchResources)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = new(AnyAllConditions)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.
+func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.LastExecutionTime.DeepCopyInto(&out.LastExecutionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.
+func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.
+func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCleanupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterCleanupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.
+func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCleanupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Condition) DeepCopyInto(out *Condition) {
+	*out = *in
+	if in.RawKey != nil {
+		in, out := &in.RawKey, &out.RawKey
+		*out = (*in).DeepCopy()
+	}
+	if in.RawValue != nil {
+		in, out := &in.RawValue, &out.RawValue
+		*out = (*in).DeepCopy()
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
+func (in *Condition) DeepCopy() *Condition {
+	if in == nil {
+		return nil
+	}
+	out := new(Condition)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Exception) DeepCopyInto(out *Exception) {
+	*out = *in
+	if in.RuleNames != nil {
+		in, out := &in.RuleNames, &out.RuleNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
+func (in *Exception) DeepCopy() *Exception {
+	if in == nil {
+		return nil
+	}
+	out := new(Exception)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyException) DeepCopyInto(out *PolicyException) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
+func (in *PolicyException) DeepCopy() *PolicyException {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyException)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PolicyException) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PolicyException, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
+func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyExceptionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PolicyExceptionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec) {
+	*out = *in
+	if in.Background != nil {
+		in, out := &in.Background, &out.Background
+		*out = new(bool)
+		**out = **in
+	}
+	in.Match.DeepCopyInto(&out.Match)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = new(AnyAllConditions)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Exceptions != nil {
+		in, out := &in.Exceptions, &out.Exceptions
+		*out = make([]Exception, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PodSecurity != nil {
+		in, out := &in.PodSecurity, &out.PodSecurity
+		*out = make([]kyvernov1.PodSecurityStandard, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
+func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyExceptionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestInfo) DeepCopyInto(out *RequestInfo) {
+	*out = *in
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.ClusterRoles != nil {
+		in, out := &in.ClusterRoles, &out.ClusterRoles
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	in.AdmissionUserInfo.DeepCopyInto(&out.AdmissionUserInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestInfo.
+func (in *RequestInfo) DeepCopy() *RequestInfo {
+	if in == nil {
+		return nil
+	}
+	out := new(RequestInfo)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleContext) DeepCopyInto(out *RuleContext) {
+	*out = *in
+	out.Trigger = in.Trigger
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleContext.
+func (in *RuleContext) DeepCopy() *RuleContext {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleContext)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpdateRequest) DeepCopyInto(out *UpdateRequest) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequest.
+func (in *UpdateRequest) DeepCopy() *UpdateRequest {
+	if in == nil {
+		return nil
+	}
+	out := new(UpdateRequest)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpdateRequest) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpdateRequestList) DeepCopyInto(out *UpdateRequestList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]UpdateRequest, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestList.
+func (in *UpdateRequestList) DeepCopy() *UpdateRequestList {
+	if in == nil {
+		return nil
+	}
+	out := new(UpdateRequestList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *UpdateRequestList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpdateRequestSpec) DeepCopyInto(out *UpdateRequestSpec) {
+	*out = *in
+	if in.RuleContext != nil {
+		in, out := &in.RuleContext, &out.RuleContext
+		*out = make([]RuleContext, len(*in))
+		copy(*out, *in)
+	}
+	out.Resource = in.Resource
+	in.Context.DeepCopyInto(&out.Context)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpec.
+func (in *UpdateRequestSpec) DeepCopy() *UpdateRequestSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(UpdateRequestSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpdateRequestSpecContext) DeepCopyInto(out *UpdateRequestSpecContext) {
+	*out = *in
+	in.UserRequestInfo.DeepCopyInto(&out.UserRequestInfo)
+	in.AdmissionRequestInfo.DeepCopyInto(&out.AdmissionRequestInfo)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestSpecContext.
+func (in *UpdateRequestSpecContext) DeepCopy() *UpdateRequestSpecContext {
+	if in == nil {
+		return nil
+	}
+	out := new(UpdateRequestSpecContext)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UpdateRequestStatus) DeepCopyInto(out *UpdateRequestStatus) {
+	*out = *in
+	if in.GeneratedResources != nil {
+		in, out := &in.GeneratedResources, &out.GeneratedResources
+		*out = make([]kyvernov1.ResourceSpec, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateRequestStatus.
+func (in *UpdateRequestStatus) DeepCopy() *UpdateRequestStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(UpdateRequestStatus)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/api/kyverno/v2/zz_generated.defaults.go b/api/kyverno/v2/zz_generated.defaults.go
new file mode 100644
index 000000000000..c97cdeb586f2
--- /dev/null
+++ b/api/kyverno/v2/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/kyverno/v2/zz_generated.register.go b/api/kyverno/v2/zz_generated.register.go
new file mode 100644
index 000000000000..b17296a6c2e0
--- /dev/null
+++ b/api/kyverno/v2/zz_generated.register.go
@@ -0,0 +1,73 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v2
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "kyverno.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CleanupPolicy{},
+		&CleanupPolicyList{},
+		&ClusterCleanupPolicy{},
+		&ClusterCleanupPolicyList{},
+		&PolicyException{},
+		&PolicyExceptionList{},
+		&UpdateRequest{},
+		&UpdateRequestList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/api/kyverno/v2alpha1/cleanup_policy_interface.go b/api/kyverno/v2alpha1/cleanup_policy_interface.go
deleted file mode 100644
index 48f4b002cefa..000000000000
--- a/api/kyverno/v2alpha1/cleanup_policy_interface.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package v2alpha1
-
-import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-// CleanupPolicyInterface abstracts the concrete policy type (Policy vs ClusterPolicy)
-// +kubebuilder:object:generate=false
-type CleanupPolicyInterface interface {
-	metav1.Object
-	GetSpec() *CleanupPolicySpec
-	GetStatus() *CleanupPolicyStatus
-	Validate(sets.Set[string]) field.ErrorList
-	GetKind() string
-	GetAPIVersion() string
-}
diff --git a/api/kyverno/v2alpha1/cleanup_policy_test.go b/api/kyverno/v2alpha1/cleanup_policy_test.go
deleted file mode 100644
index 4b900cedef12..000000000000
--- a/api/kyverno/v2alpha1/cleanup_policy_test.go
+++ /dev/null
@@ -1,712 +0,0 @@
-package v2alpha1
-
-import (
-	"encoding/json"
-	"fmt"
-	"testing"
-
-	"gotest.tools/assert"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-func Test_CleanupPolicy_Name(t *testing.T) {
-	subject := CleanupPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
-		},
-		Spec: CleanupPolicySpec{
-			Schedule: "* * * * *",
-		},
-	}
-	errs := subject.Validate(nil)
-	assert.Assert(t, len(errs) == 1)
-	assert.Equal(t, errs[0].Field, "metadata.name")
-	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
-}
-
-func Test_CleanupPolicy_Schedule(t *testing.T) {
-	subject := CleanupPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-policy",
-		},
-		Spec: CleanupPolicySpec{
-			Schedule: "schedule-not-in-proper-cron-format",
-		},
-	}
-	errs := subject.Validate(nil)
-	assert.Assert(t, len(errs) == 1)
-	assert.Equal(t, errs[0].Field, "spec.schedule")
-	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
-	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
-	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
-}
-
-func Test_ClusterCleanupPolicy_Name(t *testing.T) {
-	subject := ClusterCleanupPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
-		},
-		Spec: CleanupPolicySpec{
-			Schedule: "* * * * *",
-		},
-	}
-	errs := subject.Validate(nil)
-	assert.Assert(t, len(errs) == 1)
-	assert.Equal(t, errs[0].Field, "metadata.name")
-	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
-	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
-	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
-}
-
-func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {
-	subject := ClusterCleanupPolicy{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "test-policy",
-		},
-		Spec: CleanupPolicySpec{
-			Schedule: "schedule-not-in-proper-cron-format",
-		},
-	}
-	errs := subject.Validate(nil)
-	assert.Assert(t, len(errs) == 1)
-	assert.Equal(t, errs[0].Field, "spec.schedule")
-	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
-	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
-	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
-}
-
-func Test_doesMatchExcludeConflict(t *testing.T) {
-	path := field.NewPath("dummy")
-	testcases := []struct {
-		description string
-		policySpec  []byte
-		errors      func(r *CleanupPolicySpec) field.ErrorList
-	}{
-		{
-			description: "Same match and exclude",
-			policySpec: []byte(`
-{
-    "match": {
-		"any": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"any": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-			errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
-				return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
-			},
-		},
-		{
-			description: "Failed to exclude kind",
-			policySpec: []byte(`
-{
-	"match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-	},
-	"exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-	},
-	"schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude name",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something-*",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude namespace",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something3",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude labels",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "higha"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude expression",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"databases"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude subjects",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude clusterroles",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "Failed to exclude roles",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "exclude": {
-		"all": [{
-			"resources": {
-				"kinds": [
-					"Pod",
-					"Namespace"
-				],
-				"name": "something",
-				"namespaces": [
-					"something",
-					"something1"
-				],
-				"selector": {
-					"matchLabels": {
-						"memory": "high"
-					},
-					"matchExpressions": [
-						{
-							"key": "tier",
-							"operator": "In",
-							"values": [
-								"database"
-							]
-						}
-					]
-				}
-			}
-		}]
-    },
-    "schedule": "* * * * *"
-}`),
-		},
-		{
-			description: "empty case",
-			policySpec: []byte(`
-{
-    "match": {
-		"all": [{
-			"resources": {
-				"selector": {
-					"matchLabels": {
-						"allow-deletes": "false"
-					}
-				}
-			}
-		}]
-    },
-    "exclude": {},
-    "schedule": "* * * * *"
-}`),
-		},
-	}
-	for _, testcase := range testcases {
-		t.Run(testcase.description, func(t *testing.T) {
-			var policySpec CleanupPolicySpec
-			err := json.Unmarshal(testcase.policySpec, &policySpec)
-			assert.NilError(t, err)
-			errs := policySpec.ValidateMatchExcludeConflict(path)
-			var expectedErrs field.ErrorList
-			if testcase.errors != nil {
-				expectedErrs = testcase.errors(&policySpec)
-			}
-			assert.Equal(t, len(errs), len(expectedErrs))
-			for i := range errs {
-				fmt.Println(i)
-				assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
-			}
-		})
-	}
-}
diff --git a/api/kyverno/v2alpha1/cleanup_policy_types.go b/api/kyverno/v2alpha1/cleanup_policy_types.go
deleted file mode 100644
index 47c11f923104..000000000000
--- a/api/kyverno/v2alpha1/cleanup_policy_types.go
+++ /dev/null
@@ -1,224 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v2alpha1
-
-import (
-	"reflect"
-
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
-	"github.com/robfig/cron"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/sets"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-// +genclient
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:shortName=cleanpol,categories=kyverno
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-
-// CleanupPolicy defines a rule for resource cleanup.
-type CleanupPolicy struct {
-	metav1.TypeMeta   `json:",inline,omitempty"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	// Spec declares policy behaviors.
-	Spec CleanupPolicySpec `json:"spec"`
-
-	// Status contains policy runtime data.
-	// +optional
-	Status CleanupPolicyStatus `json:"status,omitempty"`
-}
-
-// GetSpec returns the policy spec
-func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec {
-	return &p.Spec
-}
-
-// GetStatus returns the policy status
-func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus {
-	return &p.Status
-}
-
-// Validate implements programmatic validation
-func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
-	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, true)...)
-	return errs
-}
-
-// GetKind returns the resource kind
-func (p *CleanupPolicy) GetKind() string {
-	return p.Kind
-}
-
-// GetAPIVersion returns the resource kind
-func (p *CleanupPolicy) GetAPIVersion() string {
-	return p.APIVersion
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// CleanupPolicyList is a list of ClusterPolicy instances.
-type CleanupPolicyList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []CleanupPolicy `json:"items"`
-}
-
-// +genclient
-// +genclient:nonNamespaced
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:scope=Cluster,shortName=ccleanpol,categories=kyverno
-// +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-
-// ClusterCleanupPolicy defines rule for resource cleanup.
-type ClusterCleanupPolicy struct {
-	metav1.TypeMeta   `json:",inline,omitempty"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	// Spec declares policy behaviors.
-	Spec CleanupPolicySpec `json:"spec"`
-
-	// Status contains policy runtime data.
-	// +optional
-	Status CleanupPolicyStatus `json:"status,omitempty"`
-}
-
-// GetSpec returns the policy spec
-func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec {
-	return &p.Spec
-}
-
-// GetStatus returns the policy status
-func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus {
-	return &p.Status
-}
-
-// GetKind returns the resource kind
-func (p *ClusterCleanupPolicy) GetKind() string {
-	return p.Kind
-}
-
-// GetAPIVersion returns the resource kind
-func (p *ClusterCleanupPolicy) GetAPIVersion() string {
-	return p.APIVersion
-}
-
-// Validate implements programmatic validation
-func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
-	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, false)...)
-	return errs
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
-type ClusterCleanupPolicyList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []ClusterCleanupPolicy `json:"items"`
-}
-
-// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
-// and schedule when the matching resources needs deleted.
-type CleanupPolicySpec struct {
-	// MatchResources defines when cleanuppolicy should be applied. The match
-	// criteria can include resource information (e.g. kind, name, namespace, labels)
-	// and admission review request information like the user name or role.
-	// At least one kind is required.
-	MatchResources kyvernov2beta1.MatchResources `json:"match,omitempty"`
-
-	// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
-	// criteria can include resource information (e.g. kind, name, namespace, labels)
-	// and admission review request information like the name or role.
-	// +optional
-	ExcludeResources *kyvernov2beta1.MatchResources `json:"exclude,omitempty"`
-
-	// The schedule in Cron format
-	Schedule string `json:"schedule"`
-
-	// Conditions defines the conditions used to select the resources which will be cleaned up.
-	// +optional
-	Conditions *kyvernov2beta1.AnyAllConditions `json:"conditions,omitempty"`
-}
-
-// CleanupPolicyStatus stores the status of the policy.
-type CleanupPolicyStatus struct {
-	Conditions []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
-}
-
-// Validate implements programmatic validation
-func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
-	errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
-	if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
-		errs = append(errs, userInfoErrs...)
-	} else {
-		errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
-	}
-	if p.ExcludeResources != nil {
-		if userInfoErrs := p.ExcludeResources.ValidateNoUserInfo(path.Child("exclude")); len(userInfoErrs) != 0 {
-			errs = append(errs, userInfoErrs...)
-		} else {
-			errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
-		}
-	}
-	errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
-	return errs
-}
-
-// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
-func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
-	if _, err := cron.ParseStandard(schedule); err != nil {
-		errs = append(errs, field.Invalid(path, schedule, "schedule spec in the cleanupPolicy is not in proper cron format"))
-	}
-	return errs
-}
-
-// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
-func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) {
-	if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
-		return errs
-	}
-	// if both have any then no resource should be common
-	if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 {
-		for _, rmr := range spec.MatchResources.Any {
-			for _, rer := range spec.ExcludeResources.Any {
-				if reflect.DeepEqual(rmr, rer) {
-					return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
-				}
-			}
-		}
-		return errs
-	}
-	if reflect.DeepEqual(spec.ExcludeResources, kyvernov2beta1.MatchResources{}) {
-		return errs
-	}
-	return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
-}
diff --git a/api/kyverno/v2alpha1/global_context_entry_status.go b/api/kyverno/v2alpha1/global_context_entry_status.go
new file mode 100644
index 000000000000..ee9667e68b0a
--- /dev/null
+++ b/api/kyverno/v2alpha1/global_context_entry_status.go
@@ -0,0 +1,54 @@
+package v2alpha1
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+const (
+	// PolicyConditionReady means that the globalcontextentry is ready
+	GlobalContextEntryConditionReady = "Ready"
+)
+
+const (
+	// GlobalContextEntryReasonSucceeded is the reason set when the globalcontextentry is ready
+	GlobalContextEntryReasonSucceeded = "Succeeded"
+	// GlobalContextEntryReasonFailed is the reason set when the globalcontextentry is not ready
+	GlobalContextEntryReasonFailed = "Failed"
+)
+
+type GlobalContextEntryStatus struct {
+	// Deprecated in favor of Conditions
+	Ready bool `json:"ready" yaml:"ready"`
+	// +optional
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// Indicates the time when the globalcontextentry was last refreshed successfully for the API Call
+	// +optional
+	LastRefreshTime metav1.Time `json:"lastRefreshTime,omitempty"`
+}
+
+func (status *GlobalContextEntryStatus) SetReady(ready bool, message string) {
+	condition := metav1.Condition{
+		Type:    GlobalContextEntryConditionReady,
+		Message: message,
+	}
+	if ready {
+		condition.Status = metav1.ConditionTrue
+		condition.Reason = GlobalContextEntryReasonSucceeded
+	} else {
+		condition.Status = metav1.ConditionFalse
+		condition.Reason = GlobalContextEntryReasonFailed
+	}
+	status.Ready = ready
+	meta.SetStatusCondition(&status.Conditions, condition)
+}
+
+func (status *GlobalContextEntryStatus) UpdateRefreshTime() {
+	status.LastRefreshTime = metav1.Now()
+}
+
+// IsReady indicates if the globalcontextentry has loaded
+func (status *GlobalContextEntryStatus) IsReady() bool {
+	condition := meta.FindStatusCondition(status.Conditions, GlobalContextEntryConditionReady)
+	return condition != nil && condition.Status == metav1.ConditionTrue
+}
diff --git a/api/kyverno/v2alpha1/global_context_entry_types.go b/api/kyverno/v2alpha1/global_context_entry_types.go
new file mode 100644
index 000000000000..65c81383f2d5
--- /dev/null
+++ b/api/kyverno/v2alpha1/global_context_entry_types.go
@@ -0,0 +1,176 @@
+/*
+Copyright 2022 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package v2alpha1
+
+import (
+	"time"
+
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +genclient:nonNamespaced
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=gctxentry,categories=kyverno,scope="Cluster"
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="REFRESH INTERVAL",type="string",JSONPath=".spec.apiCall.refreshInterval"
+// +kubebuilder:printcolumn:name="LAST REFRESH",type="date",JSONPath=".status.lastRefreshTime"
+
+// GlobalContextEntry declares resources to be cached.
+type GlobalContextEntry struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy exception behaviors.
+	Spec GlobalContextEntrySpec `json:"spec" yaml:"spec"`
+
+	// Status contains globalcontextentry runtime data.
+	// +optional
+	Status GlobalContextEntryStatus `json:"status,omitempty"`
+}
+
+// GetStatus returns the globalcontextentry status
+func (p *GlobalContextEntry) GetStatus() *GlobalContextEntryStatus {
+	return &p.Status
+}
+
+// Validate implements programmatic validation
+func (c *GlobalContextEntry) Validate() (errs field.ErrorList) {
+	errs = append(errs, c.Spec.Validate(field.NewPath("spec"))...)
+	return errs
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (c *GlobalContextEntry) IsNamespaced() bool {
+	return false
+}
+
+// GlobalContextEntrySpec stores policy exception spec
+type GlobalContextEntrySpec struct {
+	// Stores a list of Kubernetes resources which will be cached.
+	// Mutually exclusive with APICall.
+	// +kubebuilder:validation:Optional
+	KubernetesResource *KubernetesResource `json:"kubernetesResource,omitempty"`
+
+	// Stores results from an API call which will be cached.
+	// Mutually exclusive with KubernetesResource.
+	// This can be used to make calls to external (non-Kubernetes API server) services.
+	// It can also be used to make calls to the Kubernetes API server in such cases:
+	// 1. A POST is needed to create a resource.
+	// 2. Finer-grained control is needed. Example: To restrict the number of resources cached.
+	// +kubebuilder:validation:Optional
+	APICall *ExternalAPICall `json:"apiCall,omitempty"`
+}
+
+func (c *GlobalContextEntrySpec) IsAPICall() bool {
+	return c.APICall != nil
+}
+
+func (c *GlobalContextEntrySpec) IsResource() bool {
+	return c.KubernetesResource != nil
+}
+
+// Validate implements programmatic validation
+func (c *GlobalContextEntrySpec) Validate(path *field.Path) (errs field.ErrorList) {
+	if c.IsResource() && c.IsAPICall() {
+		errs = append(errs, field.Forbidden(path.Child("kubernetesResource"), "A global context entry should either have KubernetesResource or APICall"))
+	}
+	if !c.IsResource() && !c.IsAPICall() {
+		errs = append(errs, field.Forbidden(path.Child("kubernetesResource"), "A global context entry should either have KubernetesResource or APICall"))
+	}
+	if c.IsResource() {
+		errs = append(errs, c.KubernetesResource.Validate(path.Child("resource"))...)
+	}
+	if c.IsAPICall() {
+		errs = append(errs, c.APICall.Validate(path.Child("apiCall"))...)
+	}
+	return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// GlobalContextEntryList is a list of Cached Context Entries
+type GlobalContextEntryList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []GlobalContextEntry `json:"items"`
+}
+
+// KubernetesResource stores infos about kubernetes resource that should be cached
+type KubernetesResource struct {
+	// Group defines the group of the resource.
+	// +kubebuilder:validation:Required
+	Group string `json:"group"`
+	// Version defines the version of the resource.
+	// +kubebuilder:validation:Required
+	Version string `json:"version"`
+	// Resource defines the type of the resource.
+	// Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
+	// +kubebuilder:validation:Required
+	Resource string `json:"resource"`
+	// Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
+	// If left empty for namespaced resources, all resources from all namespaces will be cached.
+	// +kubebuilder:validation:Optional
+	// +optional
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (k *KubernetesResource) Validate(path *field.Path) (errs field.ErrorList) {
+	if k.Group == "" {
+		errs = append(errs, field.Required(path.Child("group"), "A Resource entry requires a group"))
+	}
+	if k.Version == "" {
+		errs = append(errs, field.Required(path.Child("version"), "A Resource entry requires a version"))
+	}
+	if k.Resource == "" {
+		errs = append(errs, field.Required(path.Child("resource"), "A Resource entry requires a resource"))
+	}
+	return errs
+}
+
+type ExternalAPICall struct {
+	kyvernov1.APICall `json:",inline,omitempty"`
+	// RefreshInterval defines the interval in duration at which to poll the APICall.
+	// The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
+	// such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+	// +kubebuilder:validation:Format=duration
+	// +kubebuilder:default=`10m`
+	RefreshInterval *metav1.Duration `json:"refreshInterval,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (e *ExternalAPICall) Validate(path *field.Path) (errs field.ErrorList) {
+	if e.RefreshInterval.Duration == 0*time.Second {
+		errs = append(errs, field.Required(path.Child("refreshIntervalSeconds"), "A Resource entry requires a refresh interval greater than 0 seconds"))
+	}
+
+	if (e.Service == nil && e.URLPath == "") || (e.Service != nil && e.URLPath != "") {
+		errs = append(errs, field.Forbidden(path.Child("service"), "An External API call should either have Service or URLPath"))
+	}
+
+	if e.Data != nil && e.Method != "POST" {
+		errs = append(errs, field.Forbidden(path.Child("method"), "An External API call with data should have method as POST"))
+	}
+
+	return errs
+}
diff --git a/api/kyverno/v2alpha1/policy_exception_types.go b/api/kyverno/v2alpha1/policy_exception_types.go
deleted file mode 100644
index c5f17aae8d4c..000000000000
--- a/api/kyverno/v2alpha1/policy_exception_types.go
+++ /dev/null
@@ -1,113 +0,0 @@
-/*
-Copyright 2022 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-	http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-package v2alpha1
-
-import (
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
-	"golang.org/x/exp/slices"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/util/validation/field"
-)
-
-// +genclient
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-// +kubebuilder:object:root=true
-// +kubebuilder:storageversion
-// +kubebuilder:resource:shortName=polex,categories=kyverno
-
-// PolicyException declares resources to be excluded from specified policies.
-type PolicyException struct {
-	metav1.TypeMeta   `json:",inline,omitempty"`
-	metav1.ObjectMeta `json:"metadata,omitempty"`
-
-	// Spec declares policy exception behaviors.
-	Spec PolicyExceptionSpec `json:"spec"`
-}
-
-// Validate implements programmatic validation
-func (p *PolicyException) Validate() (errs field.ErrorList) {
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
-	return errs
-}
-
-// Contains returns true if it contains an exception for the given policy/rule pair
-func (p *PolicyException) Contains(policy string, rule string) bool {
-	return p.Spec.Contains(policy, rule)
-}
-
-// PolicyExceptionSpec stores policy exception spec
-type PolicyExceptionSpec struct {
-	// Match defines match clause used to check if a resource applies to the exception
-	Match kyvernov2beta1.MatchResources `json:"match"`
-
-	// Exceptions is a list policy/rules to be excluded
-	Exceptions []Exception `json:"exceptions"`
-}
-
-// Validate implements programmatic validation
-func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
-	errs = append(errs, p.Match.Validate(path.Child("match"), false, nil)...)
-	exceptionsPath := path.Child("exceptions")
-	for i, e := range p.Exceptions {
-		errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
-	}
-	return errs
-}
-
-// Contains returns true if it contains an exception for the given policy/rule pair
-func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool {
-	for _, exception := range p.Exceptions {
-		if exception.Contains(policy, rule) {
-			return true
-		}
-	}
-	return false
-}
-
-// Exception stores infos about a policy and rules
-type Exception struct {
-	// PolicyName identifies the policy to which the exception is applied.
-	// The policy name uses the format / unless it
-	// references a ClusterPolicy.
-	PolicyName string `json:"policyName"`
-
-	// RuleNames identifies the rules to which the exception is applied.
-	RuleNames []string `json:"ruleNames"`
-}
-
-// Validate implements programmatic validation
-func (p *Exception) Validate(path *field.Path) (errs field.ErrorList) {
-	if p.PolicyName == "" {
-		errs = append(errs, field.Required(path.Child("policyName"), "An exception requires a policy name"))
-	}
-	return errs
-}
-
-// Contains returns true if it contains an exception for the given policy/rule pair
-func (p *Exception) Contains(policy string, rule string) bool {
-	return p.PolicyName == policy && slices.Contains(p.RuleNames, rule)
-}
-
-// +kubebuilder:object:root=true
-// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
-
-// PolicyExceptionList is a list of Policy Exceptions
-type PolicyExceptionList struct {
-	metav1.TypeMeta `json:",inline"`
-	metav1.ListMeta `json:"metadata"`
-	Items           []PolicyException `json:"items"`
-}
diff --git a/api/kyverno/v2alpha1/register.go b/api/kyverno/v2alpha1/register.go
deleted file mode 100755
index 0dc126c4e8f0..000000000000
--- a/api/kyverno/v2alpha1/register.go
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-// +kubebuilder:object:generate=true
-// +groupName=kyverno.io
-package v2alpha1
-
-import (
-	"github.com/kyverno/kyverno/api/kyverno"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v2alpha1"}
-
-// Kind takes an unqualified kind and returns back a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	// SchemeBuilder builds the scheme
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
-
-	// AddToScheme adds all types of this clientset into the given scheme
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to Scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&CleanupPolicy{},
-		&CleanupPolicyList{},
-		&ClusterCleanupPolicy{},
-		&ClusterCleanupPolicyList{},
-		&PolicyException{},
-		&PolicyExceptionList{},
-	)
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/api/kyverno/v2alpha1/zz_generated.deepcopy.go b/api/kyverno/v2alpha1/zz_generated.deepcopy.go
index e8e9c4cfe097..1fc8e8b02042 100644
--- a/api/kyverno/v2alpha1/zz_generated.deepcopy.go
+++ b/api/kyverno/v2alpha1/zz_generated.deepcopy.go
@@ -17,144 +17,59 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by controller-gen. DO NOT EDIT.
+// Code generated by deepcopy-gen. DO NOT EDIT.
 
 package v2alpha1
 
 import (
-	"github.com/kyverno/kyverno/api/kyverno/v2beta1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy) {
+func (in *ExternalAPICall) DeepCopyInto(out *ExternalAPICall) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.
-func (in *CleanupPolicy) DeepCopy() *CleanupPolicy {
-	if in == nil {
-		return nil
-	}
-	out := new(CleanupPolicy)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CleanupPolicy) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]CleanupPolicy, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.
-func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList {
-	if in == nil {
-		return nil
-	}
-	out := new(CleanupPolicyList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
-	*out = *in
-	in.MatchResources.DeepCopyInto(&out.MatchResources)
-	if in.ExcludeResources != nil {
-		in, out := &in.ExcludeResources, &out.ExcludeResources
-		*out = new(v2beta1.MatchResources)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = new(v2beta1.AnyAllConditions)
-		(*in).DeepCopyInto(*out)
+	in.APICall.DeepCopyInto(&out.APICall)
+	if in.RefreshInterval != nil {
+		in, out := &in.RefreshInterval, &out.RefreshInterval
+		*out = new(v1.Duration)
+		**out = **in
 	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.
-func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalAPICall.
+func (in *ExternalAPICall) DeepCopy() *ExternalAPICall {
 	if in == nil {
 		return nil
 	}
-	out := new(CleanupPolicySpec)
+	out := new(ExternalAPICall)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
-	*out = *in
-	if in.Conditions != nil {
-		in, out := &in.Conditions, &out.Conditions
-		*out = make([]v1.Condition, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.
-func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus {
-	if in == nil {
-		return nil
-	}
-	out := new(CleanupPolicyStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy) {
+func (in *GlobalContextEntry) DeepCopyInto(out *GlobalContextEntry) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.
-func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalContextEntry.
+func (in *GlobalContextEntry) DeepCopy() *GlobalContextEntry {
 	if in == nil {
 		return nil
 	}
-	out := new(ClusterCleanupPolicy)
+	out := new(GlobalContextEntry)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object {
+func (in *GlobalContextEntry) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -162,31 +77,32 @@ func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList) {
+func (in *GlobalContextEntryList) DeepCopyInto(out *GlobalContextEntryList) {
 	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
-		*out = make([]ClusterCleanupPolicy, len(*in))
+		*out = make([]GlobalContextEntry, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.
-func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalContextEntryList.
+func (in *GlobalContextEntryList) DeepCopy() *GlobalContextEntryList {
 	if in == nil {
 		return nil
 	}
-	out := new(ClusterCleanupPolicyList)
+	out := new(GlobalContextEntryList)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
+func (in *GlobalContextEntryList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
@@ -194,102 +110,67 @@ func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Exception) DeepCopyInto(out *Exception) {
+func (in *GlobalContextEntrySpec) DeepCopyInto(out *GlobalContextEntrySpec) {
 	*out = *in
-	if in.RuleNames != nil {
-		in, out := &in.RuleNames, &out.RuleNames
-		*out = make([]string, len(*in))
-		copy(*out, *in)
+	if in.KubernetesResource != nil {
+		in, out := &in.KubernetesResource, &out.KubernetesResource
+		*out = new(KubernetesResource)
+		**out = **in
+	}
+	if in.APICall != nil {
+		in, out := &in.APICall, &out.APICall
+		*out = new(ExternalAPICall)
+		(*in).DeepCopyInto(*out)
 	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
-func (in *Exception) DeepCopy() *Exception {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalContextEntrySpec.
+func (in *GlobalContextEntrySpec) DeepCopy() *GlobalContextEntrySpec {
 	if in == nil {
 		return nil
 	}
-	out := new(Exception)
+	out := new(GlobalContextEntrySpec)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PolicyException) DeepCopyInto(out *PolicyException) {
+func (in *GlobalContextEntryStatus) DeepCopyInto(out *GlobalContextEntryStatus) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
-func (in *PolicyException) DeepCopy() *PolicyException {
-	if in == nil {
-		return nil
-	}
-	out := new(PolicyException)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PolicyException) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]PolicyException, len(*in))
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]v1.Condition, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	in.LastRefreshTime.DeepCopyInto(&out.LastRefreshTime)
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
-func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalContextEntryStatus.
+func (in *GlobalContextEntryStatus) DeepCopy() *GlobalContextEntryStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(PolicyExceptionList)
+	out := new(GlobalContextEntryStatus)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *PolicyExceptionList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec) {
+func (in *KubernetesResource) DeepCopyInto(out *KubernetesResource) {
 	*out = *in
-	in.Match.DeepCopyInto(&out.Match)
-	if in.Exceptions != nil {
-		in, out := &in.Exceptions, &out.Exceptions
-		*out = make([]Exception, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
+	return
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
-func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesResource.
+func (in *KubernetesResource) DeepCopy() *KubernetesResource {
 	if in == nil {
 		return nil
 	}
-	out := new(PolicyExceptionSpec)
+	out := new(KubernetesResource)
 	in.DeepCopyInto(out)
 	return out
 }
diff --git a/api/kyverno/v2alpha1/zz_generated.defaults.go b/api/kyverno/v2alpha1/zz_generated.defaults.go
new file mode 100644
index 000000000000..39026da3c404
--- /dev/null
+++ b/api/kyverno/v2alpha1/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v2alpha1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/kyverno/v2alpha1/zz_generated.register.go b/api/kyverno/v2alpha1/zz_generated.register.go
new file mode 100644
index 000000000000..9e5f27f728f6
--- /dev/null
+++ b/api/kyverno/v2alpha1/zz_generated.register.go
@@ -0,0 +1,67 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v2alpha1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "kyverno.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2alpha1"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2alpha1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&GlobalContextEntry{},
+		&GlobalContextEntryList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/api/kyverno/v2beta1/cleanup_policy_test.go b/api/kyverno/v2beta1/cleanup_policy_test.go
new file mode 100644
index 000000000000..0d20b6507ce4
--- /dev/null
+++ b/api/kyverno/v2beta1/cleanup_policy_test.go
@@ -0,0 +1,712 @@
+package v2beta1
+
+import (
+	"encoding/json"
+	"fmt"
+	"testing"
+
+	"gotest.tools/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func Test_CleanupPolicy_Name(t *testing.T) {
+	subject := CleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "* * * * *",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "metadata.name")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_CleanupPolicy_Schedule(t *testing.T) {
+	subject := CleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-policy",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "schedule-not-in-proper-cron-format",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "spec.schedule")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_ClusterCleanupPolicy_Name(t *testing.T) {
+	subject := ClusterCleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "* * * * *",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "metadata.name")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeTooLong)
+	assert.Equal(t, errs[0].Detail, "must have at most 63 bytes")
+	assert.Equal(t, errs[0].Error(), "metadata.name: Too long: must have at most 63 bytes")
+}
+
+func Test_ClusterCleanupPolicy_Schedule(t *testing.T) {
+	subject := ClusterCleanupPolicy{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-policy",
+		},
+		Spec: CleanupPolicySpec{
+			Schedule: "schedule-not-in-proper-cron-format",
+		},
+	}
+	errs := subject.Validate(nil)
+	assert.Assert(t, len(errs) == 1)
+	assert.Equal(t, errs[0].Field, "spec.schedule")
+	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
+	assert.Equal(t, errs[0].Detail, "schedule spec in the cleanupPolicy is not in proper cron format")
+	assert.Equal(t, errs[0].Error(), fmt.Sprintf(`spec.schedule: Invalid value: "%s": schedule spec in the cleanupPolicy is not in proper cron format`, subject.Spec.Schedule))
+}
+
+func Test_doesMatchExcludeConflict_cleanupPolicy(t *testing.T) {
+	path := field.NewPath("dummy")
+	testcases := []struct {
+		description string
+		policySpec  []byte
+		errors      func(r *CleanupPolicySpec) field.ErrorList
+	}{
+		{
+			description: "Same match and exclude",
+			policySpec: []byte(`
+{
+    "match": {
+		"any": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"any": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+			errors: func(r *CleanupPolicySpec) (errs field.ErrorList) {
+				return append(errs, field.Invalid(path, r, "CleanupPolicy is matching an empty set"))
+			},
+		},
+		{
+			description: "Failed to exclude kind",
+			policySpec: []byte(`
+{
+	"match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+	},
+	"exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+	},
+	"schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude name",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something-*",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude namespace",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something3",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude labels",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "higha"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude expression",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"databases"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude subjects",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude clusterroles",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "Failed to exclude roles",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "exclude": {
+		"all": [{
+			"resources": {
+				"kinds": [
+					"Pod",
+					"Namespace"
+				],
+				"name": "something",
+				"namespaces": [
+					"something",
+					"something1"
+				],
+				"selector": {
+					"matchLabels": {
+						"memory": "high"
+					},
+					"matchExpressions": [
+						{
+							"key": "tier",
+							"operator": "In",
+							"values": [
+								"database"
+							]
+						}
+					]
+				}
+			}
+		}]
+    },
+    "schedule": "* * * * *"
+}`),
+		},
+		{
+			description: "empty case",
+			policySpec: []byte(`
+{
+    "match": {
+		"all": [{
+			"resources": {
+				"selector": {
+					"matchLabels": {
+						"allow-deletes": "false"
+					}
+				}
+			}
+		}]
+    },
+    "exclude": {},
+    "schedule": "* * * * *"
+}`),
+		},
+	}
+	for _, testcase := range testcases {
+		t.Run(testcase.description, func(t *testing.T) {
+			var policySpec CleanupPolicySpec
+			err := json.Unmarshal(testcase.policySpec, &policySpec)
+			assert.NilError(t, err)
+			errs := policySpec.ValidateMatchExcludeConflict(path)
+			var expectedErrs field.ErrorList
+			if testcase.errors != nil {
+				expectedErrs = testcase.errors(&policySpec)
+			}
+			assert.Equal(t, len(errs), len(expectedErrs))
+			for i := range errs {
+				fmt.Println(i)
+				assert.Equal(t, errs[i].Error(), expectedErrs[i].Error())
+			}
+		})
+	}
+}
diff --git a/api/kyverno/v2beta1/cleanup_policy_types.go b/api/kyverno/v2beta1/cleanup_policy_types.go
new file mode 100644
index 000000000000..d63154dc07e1
--- /dev/null
+++ b/api/kyverno/v2beta1/cleanup_policy_types.go
@@ -0,0 +1,295 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v2beta1
+
+import (
+	"time"
+
+	"github.com/aptible/supercronic/cronexpr"
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	datautils "github.com/kyverno/kyverno/pkg/utils/data"
+	"github.com/robfig/cron"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/sets"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:shortName=cleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:deprecatedversion
+
+// CleanupPolicy defines a rule for resource cleanup.
+type CleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *CleanupPolicy) GetSpec() *CleanupPolicySpec {
+	return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *CleanupPolicy) GetStatus() *CleanupPolicyStatus {
+	return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *CleanupPolicy) GetExecutionTime() (*time.Time, error) {
+	lastExecutionTime := p.Status.LastExecutionTime.Time
+	if lastExecutionTime.IsZero() {
+		creationTime := p.GetCreationTimestamp().Time
+		return p.GetNextExecutionTime(creationTime)
+	} else {
+		return p.GetNextExecutionTime(lastExecutionTime)
+	}
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *CleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+	cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+	if err != nil {
+		return nil, err
+	}
+	nextExecutionTime := cronExpr.Next(time)
+	return &nextExecutionTime, nil
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, true)...)
+	return errs
+}
+
+// GetKind returns the resource kind
+func (p *CleanupPolicy) GetKind() string {
+	return "CleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *CleanupPolicy) GetAPIVersion() string {
+	return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *CleanupPolicy) IsNamespaced() bool {
+	return true
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// CleanupPolicyList is a list of ClusterPolicy instances.
+type CleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []CleanupPolicy `json:"items"`
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope=Cluster,shortName=ccleanpol,categories=kyverno
+// +kubebuilder:subresource:status
+// +kubebuilder:printcolumn:name="Schedule",type=string,JSONPath=".spec.schedule"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:deprecatedversion
+
+// ClusterCleanupPolicy defines rule for resource cleanup.
+type ClusterCleanupPolicy struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Spec declares policy behaviors.
+	Spec CleanupPolicySpec `json:"spec"`
+
+	// Status contains policy runtime data.
+	// +optional
+	Status CleanupPolicyStatus `json:"status,omitempty"`
+}
+
+// GetSpec returns the policy spec
+func (p *ClusterCleanupPolicy) GetSpec() *CleanupPolicySpec {
+	return &p.Spec
+}
+
+// GetStatus returns the policy status
+func (p *ClusterCleanupPolicy) GetStatus() *CleanupPolicyStatus {
+	return &p.Status
+}
+
+// GetExecutionTime returns the execution time of the policy
+func (p *ClusterCleanupPolicy) GetExecutionTime() (*time.Time, error) {
+	lastExecutionTime := p.Status.LastExecutionTime.Time
+	if lastExecutionTime.IsZero() {
+		creationTime := p.GetCreationTimestamp().Time
+		return p.GetNextExecutionTime(creationTime)
+	} else {
+		return p.GetNextExecutionTime(lastExecutionTime)
+	}
+}
+
+// GetNextExecutionTime returns the next execution time of the policy
+func (p *ClusterCleanupPolicy) GetNextExecutionTime(time time.Time) (*time.Time, error) {
+	cronExpr, err := cronexpr.Parse(p.Spec.Schedule)
+	if err != nil {
+		return nil, err
+	}
+	nextExecutionTime := cronExpr.Next(time)
+	return &nextExecutionTime, nil
+}
+
+// GetKind returns the resource kind
+func (p *ClusterCleanupPolicy) GetKind() string {
+	return "ClusterCleanupPolicy"
+}
+
+// GetAPIVersion returns the resource kind
+func (p *ClusterCleanupPolicy) GetAPIVersion() string {
+	return p.APIVersion
+}
+
+// IsNamespaced indicates if the policy is namespace scoped
+func (p *ClusterCleanupPolicy) IsNamespaced() bool {
+	return false
+}
+
+// Validate implements programmatic validation
+func (p *ClusterCleanupPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
+	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("metadata").Child("name"), p.Name)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), clusterResources, false)...)
+	return errs
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterCleanupPolicyList is a list of ClusterCleanupPolicy instances.
+type ClusterCleanupPolicyList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+	Items           []ClusterCleanupPolicy `json:"items"`
+}
+
+// CleanupPolicySpec stores specifications for selecting resources that the user needs to delete
+// and schedule when the matching resources needs deleted.
+type CleanupPolicySpec struct {
+	// Context defines variables and data sources that can be used during rule execution.
+	// +optional
+	Context []kyvernov1.ContextEntry `json:"context,omitempty" yaml:"context,omitempty"`
+
+	// MatchResources defines when cleanuppolicy should be applied. The match
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the user name or role.
+	// At least one kind is required.
+	MatchResources MatchResources `json:"match,omitempty"`
+
+	// ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+	// criteria can include resource information (e.g. kind, name, namespace, labels)
+	// and admission review request information like the name or role.
+	// +optional
+	ExcludeResources *MatchResources `json:"exclude,omitempty"`
+
+	// The schedule in Cron format
+	Schedule string `json:"schedule"`
+
+	// Conditions defines the conditions used to select the resources which will be cleaned up.
+	// +optional
+	Conditions *AnyAllConditions `json:"conditions,omitempty"`
+}
+
+// CleanupPolicyStatus stores the status of the policy.
+type CleanupPolicyStatus struct {
+	Conditions        []metav1.Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type" protobuf:"bytes,1,rep,name=conditions"`
+	LastExecutionTime metav1.Time        `json:"lastExecutionTime,omitempty"`
+}
+
+// Validate implements programmatic validation
+func (p *CleanupPolicySpec) Validate(path *field.Path, clusterResources sets.Set[string], namespaced bool) (errs field.ErrorList) {
+	// Write context validation code here by following other validations.
+	errs = append(errs, ValidateContext(path.Child("context"), p.Context)...)
+	errs = append(errs, ValidateSchedule(path.Child("schedule"), p.Schedule)...)
+	if userInfoErrs := p.MatchResources.ValidateNoUserInfo(path.Child("match")); len(userInfoErrs) != 0 {
+		errs = append(errs, userInfoErrs...)
+	} else {
+		errs = append(errs, p.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
+	}
+	if p.ExcludeResources != nil {
+		if userInfoErrs := p.ExcludeResources.ValidateNoUserInfo(path.Child("exclude")); len(userInfoErrs) != 0 {
+			errs = append(errs, userInfoErrs...)
+		} else {
+			errs = append(errs, p.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
+		}
+	}
+	errs = append(errs, p.ValidateMatchExcludeConflict(path)...)
+	return errs
+}
+
+func ValidateContext(path *field.Path, context []kyvernov1.ContextEntry) (errs field.ErrorList) {
+	for _, entry := range context {
+		if entry.ImageRegistry != nil {
+			errs = append(errs, field.Invalid(path, context, "ImageRegistry is not allowed in CleanUp Policy"))
+		} else if entry.ConfigMap != nil {
+			errs = append(errs, field.Invalid(path, context, "ConfigMap is not allowed in CleanUp Policy"))
+		}
+	}
+	return errs
+}
+
+// ValidateSchedule validates whether the schedule specified is in proper cron format or not.
+func ValidateSchedule(path *field.Path, schedule string) (errs field.ErrorList) {
+	if _, err := cron.ParseStandard(schedule); err != nil {
+		errs = append(errs, field.Invalid(path, schedule, "schedule spec in the cleanupPolicy is not in proper cron format"))
+	}
+	return errs
+}
+
+// ValidateMatchExcludeConflict checks if the resultant of match and exclude block is not an empty set
+func (spec *CleanupPolicySpec) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorList) {
+	if spec.ExcludeResources == nil || len(spec.ExcludeResources.All) > 0 || len(spec.MatchResources.All) > 0 {
+		return errs
+	}
+	// if both have any then no resource should be common
+	if len(spec.MatchResources.Any) > 0 && len(spec.ExcludeResources.Any) > 0 {
+		for _, rmr := range spec.MatchResources.Any {
+			for _, rer := range spec.ExcludeResources.Any {
+				if datautils.DeepEqual(rmr, rer) {
+					return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+				}
+			}
+		}
+		return errs
+	}
+	if datautils.DeepEqual(spec.ExcludeResources, &MatchResources{}) {
+		return errs
+	}
+	return append(errs, field.Invalid(path, spec, "CleanupPolicy is matching an empty set"))
+}
diff --git a/api/kyverno/v2beta1/clusterpolicy_test.go b/api/kyverno/v2beta1/clusterpolicy_test.go
index 7e2fad054dcf..8fab6c52a4bf 100644
--- a/api/kyverno/v2beta1/clusterpolicy_test.go
+++ b/api/kyverno/v2beta1/clusterpolicy_test.go
@@ -3,7 +3,7 @@ package v2beta1
 import (
 	"testing"
 
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/api/kyverno"
 	"gotest.tools/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -25,7 +25,7 @@ func Test_ClusterPolicy_Name(t *testing.T) {
 }
 
 func Test_ClusterPolicy_IsNamespaced(t *testing.T) {
-	namespaced := ClusterPolicy{
+	namespaced := Policy{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "this-is-a-way-too-long-policy-name-that-should-trigger-an-error-when-calling-the-policy-validation-method",
 			Namespace: "abcd",
@@ -45,7 +45,7 @@ func Test_ClusterPolicy_Autogen_All(t *testing.T) {
 		ObjectMeta: metav1.ObjectMeta{
 			Name: "policy",
 			Annotations: map[string]string{
-				kyvernov1.PodControllersAnnotation: "all",
+				kyverno.AnnotationAutogenControllers: "all",
 			},
 		},
 	}
diff --git a/api/kyverno/v2beta1/clusterpolicy_types.go b/api/kyverno/v2beta1/clusterpolicy_types.go
index ef511f5f8443..89086a2f3716 100644
--- a/api/kyverno/v2beta1/clusterpolicy_types.go
+++ b/api/kyverno/v2beta1/clusterpolicy_types.go
@@ -3,6 +3,7 @@ package v2beta1
 import (
 	"strings"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -15,15 +16,16 @@ import (
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol,categories=kyverno
-// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
-// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
-// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
-// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
-// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
-// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
-// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
+// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
+// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
+// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
 
 // ClusterPolicy declares validation, mutation, and generation behaviors for matching resources.
 type ClusterPolicy struct {
@@ -41,7 +43,7 @@ type ClusterPolicy struct {
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *ClusterPolicy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
-	val, ok := annotations[kyvernov1.PodControllersAnnotation]
+	val, ok := annotations[kyverno.AnnotationAutogenControllers]
 	if ok && strings.ToLower(val) != "none" {
 		return true
 	}
@@ -78,6 +80,11 @@ func (p *ClusterPolicy) HasVerifyImages() bool {
 	return p.Spec.HasVerifyImages()
 }
 
+// AdmissionProcessingEnabled checks if admission is set to true
+func (p *ClusterPolicy) AdmissionProcessingEnabled() bool {
+	return p.Spec.AdmissionProcessingEnabled()
+}
+
 // BackgroundProcessingEnabled checks if background is set to true
 func (p *ClusterPolicy) BackgroundProcessingEnabled() bool {
 	return p.Spec.BackgroundProcessingEnabled()
@@ -104,7 +111,7 @@ func (p *ClusterPolicy) IsReady() bool {
 func (p *ClusterPolicy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, kyvernov1.ValidateAutogenAnnotation(field.NewPath("metadata").Child("annotations"), p.GetAnnotations())...)
 	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), clusterResources)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.Namespace, clusterResources)...)
 	return errs
 }
 
diff --git a/api/kyverno/v2beta1/common_types.go b/api/kyverno/v2beta1/common_types.go
index d74394883c30..bce28ac00e6b 100644
--- a/api/kyverno/v2beta1/common_types.go
+++ b/api/kyverno/v2beta1/common_types.go
@@ -1,13 +1,29 @@
 package v2beta1
 
 import (
+	kjson "github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
+	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions"
-	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 )
 
+// AssertionTree defines a kyverno-json assertion tree.
+type AssertionTree = kjson.Any
+
 // Validation defines checks to be performed on matching resources.
 type Validation struct {
+	// ValidationFailureAction defines if a validation policy rule violation should block
+	// the admission review request (Enforce), or allow (Audit) the admission review request
+	// and report an error in a policy report. Optional.
+	// Allowed values are Audit or Enforce.
+	// +optional
+	// +kubebuilder:validation:Enum=Audit;Enforce
+	ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
+
+	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+	// +optional
+	ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
+
 	// Message specifies a custom message to be displayed on failure.
 	// +optional
 	Message string `json:"message,omitempty" yaml:"message,omitempty"`
@@ -21,13 +37,15 @@ type Validation struct {
 	ForEachValidation []kyvernov1.ForEachValidation `json:"foreach,omitempty" yaml:"foreach,omitempty"`
 
 	// Pattern specifies an overlay-style pattern used to check resources.
-	// +optional
-	RawPattern *apiextv1.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawPattern *kyverno.Any `json:"pattern,omitempty" yaml:"pattern,omitempty"`
 
 	// AnyPattern specifies list of validation patterns. At least one of the patterns
 	// must be satisfied for the validation rule to succeed.
-	// +optional
-	RawAnyPattern *apiextv1.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawAnyPattern *kyverno.Any `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"`
 
 	// Deny defines conditions used to pass or fail a validation rule.
 	// +optional
@@ -37,6 +55,14 @@ type Validation struct {
 	// by specifying exclusions for Pod Security Standards controls.
 	// +optional
 	PodSecurity *kyvernov1.PodSecurity `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
+
+	// CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+	// +optional
+	CEL *kyvernov1.CEL `json:"cel,omitempty" yaml:"cel,omitempty"`
+
+	// Assert defines a kyverno-json assertion tree.
+	// +optional
+	Assert AssertionTree `json:"assert"`
 }
 
 // ConditionOperator is the operation performed on condition key and value.
@@ -77,15 +103,16 @@ var ConditionOperators = map[string]ConditionOperator{
 
 // Deny specifies a list of conditions used to pass or fail a validation rule.
 type Deny struct {
-	// Multiple conditions can be declared under an `any` or `all` statement. A direct list
-	// of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+	// Multiple conditions can be declared under an `any` or `all` statement.
 	// See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
 	RawAnyAllConditions *AnyAllConditions `json:"conditions,omitempty" yaml:"conditions,omitempty"`
 }
 
 type Condition struct {
 	// Key is the context entry (using JMESPath) for conditional rule evaluation.
-	RawKey *apiextv1.JSON `json:"key,omitempty" yaml:"key,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawKey *kyverno.Any `json:"key,omitempty" yaml:"key,omitempty"`
 
 	// Operator is the conditional operation to perform. Valid operators are:
 	// Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
@@ -95,24 +122,28 @@ type Condition struct {
 
 	// Value is the conditional value, or set of values. The values can be fixed set
 	// or can be variables declared using JMESPath.
-	// +optional
-	RawValue *apiextv1.JSON `json:"value,omitempty" yaml:"value,omitempty"`
+	// +kubebuilder:validation:Schemaless
+	// +kubebuilder:pruning:PreserveUnknownFields
+	RawValue *kyverno.Any `json:"value,omitempty" yaml:"value,omitempty"`
+
+	// Message is an optional display message
+	Message string `json:"message,omitempty" yaml:"message,omitempty"`
 }
 
-func (c *Condition) GetKey() apiextensions.JSON {
-	return kyvernov1.FromJSON(c.RawKey)
+func (c *Condition) GetKey() any {
+	return kyverno.FromAny(c.RawKey)
 }
 
-func (c *Condition) SetKey(in apiextensions.JSON) {
-	c.RawKey = kyvernov1.ToJSON(in)
+func (c *Condition) SetKey(in any) {
+	c.RawKey = kyverno.ToAny(in)
 }
 
-func (c *Condition) GetValue() apiextensions.JSON {
-	return kyvernov1.FromJSON(c.RawValue)
+func (c *Condition) GetValue() any {
+	return kyverno.FromAny(c.RawValue)
 }
 
-func (c *Condition) SetValue(in apiextensions.JSON) {
-	c.RawValue = kyvernov1.ToJSON(in)
+func (c *Condition) SetValue(in any) {
+	c.RawValue = kyverno.ToAny(in)
 }
 
 type AnyAllConditions struct {
diff --git a/api/kyverno/v2beta1/fuzz_test.go b/api/kyverno/v2beta1/fuzz_test.go
new file mode 100644
index 000000000000..796a21b5f021
--- /dev/null
+++ b/api/kyverno/v2beta1/fuzz_test.go
@@ -0,0 +1,57 @@
+package v2beta1
+
+import (
+	"testing"
+
+	fuzz "github.com/AdaLogics/go-fuzz-headers"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+func FuzzV2beta1PolicyValidate(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		p := Policy{}
+		ff.GenerateStruct(&p)
+		_ = p.Validate(nil)
+	})
+}
+
+var (
+	path = field.NewPath("dummy")
+)
+
+func FuzzV2beta1ImageVerification(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		iv := ImageVerification{}
+		ff.GenerateStruct(&iv)
+		iv.Validate(false, path)
+	})
+}
+
+func FuzzV2beta1MatchResources(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		mr := &MatchResources{}
+		ff.GenerateStruct(&mr)
+		mr.ValidateResourceWithNoUserInfo(path, false, nil)
+		mr.Validate(path, false, nil)
+	})
+}
+
+func FuzzV2beta1ClusterPolicy(f *testing.F) {
+	f.Fuzz(func(t *testing.T, data []byte) {
+		ff := fuzz.NewConsumer(data)
+		cp := &ClusterPolicy{}
+		ff.GenerateStruct(&cp)
+		cp.HasAutoGenAnnotation()
+		cp.HasMutateOrValidateOrGenerate()
+		cp.HasMutate()
+		cp.HasValidate()
+		cp.HasGenerate()
+		cp.HasVerifyImages()
+		cp.AdmissionProcessingEnabled()
+		cp.BackgroundProcessingEnabled()
+		cp.Validate(nil)
+	})
+}
diff --git a/api/kyverno/v2beta1/image_verification_test.go b/api/kyverno/v2beta1/image_verification_test.go
index e5054a187960..f93e961ddaad 100644
--- a/api/kyverno/v2beta1/image_verification_test.go
+++ b/api/kyverno/v2beta1/image_verification_test.go
@@ -85,7 +85,7 @@ func Test_ImageVerification(t *testing.T) {
 				ImageReferences: []string{"*"},
 				Attestors: []kyvernov1.AttestorSet{
 					{Entries: []kyvernov1.Attestor{{
-						Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.CTLog{}, Issuer: "", Subject: ""},
+						Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.Rekor{}, Issuer: "", Subject: ""},
 					}}},
 				},
 			},
@@ -102,7 +102,7 @@ func Test_ImageVerification(t *testing.T) {
 				ImageReferences: []string{"*"},
 				Attestors: []kyvernov1.AttestorSet{
 					{Entries: []kyvernov1.Attestor{{
-						Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.CTLog{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
+						Keyless: &kyvernov1.KeylessAttestor{Rekor: &kyvernov1.Rekor{URL: "https://rekor.sigstore.dev"}, Issuer: "bla", Subject: "bla"},
 					}}},
 				},
 			},
@@ -120,9 +120,116 @@ func Test_ImageVerification(t *testing.T) {
 		},
 	}
 
+	isAuditFailureAction := false
 	for _, test := range testCases {
 		subject := test.subject
-		errs := subject.Validate(path)
+		errs := subject.Validate(isAuditFailureAction, path)
+		var expectedErrs field.ErrorList
+		if test.errors != nil {
+			expectedErrs = test.errors(&subject)
+		}
+
+		assert.Equal(t, len(errs), len(expectedErrs), fmt.Sprintf("test `%s` error count mismatch, errors %v", test.name, errs))
+		if len(errs) != 0 {
+			assert.DeepEqual(t, errs, expectedErrs)
+		}
+	}
+}
+
+func Test_Audit_VerifyImageRule(t *testing.T) {
+	path := field.NewPath("dummy")
+	testCases := []struct {
+		name    string
+		subject ImageVerification
+		errors  func(*ImageVerification) field.ErrorList
+	}{
+		{
+			name: "mutateDigest set to true for audit failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []kyvernov1.Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: true,
+			},
+			errors: func(i *ImageVerification) field.ErrorList {
+				return field.ErrorList{
+					field.Invalid(
+						path.Child("mutateDigest"),
+						i.MutateDigest,
+						"mutateDigest must be set to false for ‘Audit’ failure action"),
+				}
+			},
+		},
+		{
+			name: "mutateDigest set to false for audit failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []kyvernov1.Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: false,
+			},
+		},
+	}
+
+	isAuditFailureAction := true // indicates validateFailureAction set to Audit
+	for _, test := range testCases {
+		subject := test.subject
+		errs := subject.Validate(isAuditFailureAction, path)
+		var expectedErrs field.ErrorList
+		if test.errors != nil {
+			expectedErrs = test.errors(&subject)
+		}
+
+		assert.Equal(t, len(errs), len(expectedErrs), fmt.Sprintf("test `%s` error count mismatch, errors %v", test.name, errs))
+		if len(errs) != 0 {
+			assert.DeepEqual(t, errs, expectedErrs)
+		}
+	}
+}
+
+func Test_Enforce_VerifyImageRule(t *testing.T) {
+	path := field.NewPath("dummy")
+	testCases := []struct {
+		name    string
+		subject ImageVerification
+		errors  func(*ImageVerification) field.ErrorList
+	}{
+		{
+			name: "mutateDigest set to true for enforce failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []kyvernov1.Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: true,
+			},
+		},
+		{
+			name: "mutateDigest set to false for enforce failure action",
+			subject: ImageVerification{
+				ImageReferences: []string{"*"},
+				Attestations: []kyvernov1.Attestation{
+					{
+						PredicateType: "foo",
+					},
+				},
+				MutateDigest: false,
+			},
+		},
+	}
+
+	isAuditFailureAction := false // indicates validateFailureAction set to Enforce
+	for _, test := range testCases {
+		subject := test.subject
+		errs := subject.Validate(isAuditFailureAction, path)
 		var expectedErrs field.ErrorList
 		if test.errors != nil {
 			expectedErrs = test.errors(&subject)
diff --git a/api/kyverno/v2beta1/image_verification_types.go b/api/kyverno/v2beta1/image_verification_types.go
index 5fafa87a365a..d6a270c5b0e5 100644
--- a/api/kyverno/v2beta1/image_verification_types.go
+++ b/api/kyverno/v2beta1/image_verification_types.go
@@ -9,6 +9,16 @@ import (
 // are signed with the supplied public key. Once the image is verified it is
 // mutated to include the SHA digest retrieved during the registration.
 type ImageVerification struct {
+	// Allowed values are Audit or Enforce.
+	// +optional
+	// +kubebuilder:validation:Enum=Audit;Enforce
+	ValidationFailureAction *kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
+
+	// Type specifies the method of signature validation. The allowed options
+	// are Cosign and Notary. By default Cosign is used if a type is not specified.
+	// +kubebuilder:validation:Optional
+	Type kyvernov1.ImageVerificationType `json:"type,omitempty" yaml:"type,omitempty"`
+
 	// ImageReferences is a list of matching image reference patterns. At least one pattern in the
 	// list must match the image for the rule to apply. Each image reference consists of a registry
 	// address (defaults to docker.io), repository, image, and tag (defaults to latest).
@@ -16,6 +26,13 @@ type ImageVerification struct {
 	// +kubebuilder:validation:Optional
 	ImageReferences []string `json:"imageReferences,omitempty" yaml:"imageReferences,omitempty"`
 
+	// SkipImageReferences is a list of matching image reference patterns that should be skipped.
+	// At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+	// consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+	// Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+	// +kubebuilder:validation:Optional
+	SkipImageReferences []string `json:"skipImageReferences,omitempty" yaml:"skipImageReferences,omitempty"`
+
 	// Attestors specified the required attestors (i.e. authorities)
 	// +kubebuilder:validation:Optional
 	Attestors []kyvernov1.AttestorSet `json:"attestors,omitempty" yaml:"attestors,omitempty"`
@@ -45,12 +62,25 @@ type ImageVerification struct {
 	// +kubebuilder:default=true
 	// +kubebuilder:validation:Optional
 	Required bool `json:"required" yaml:"required"`
+
+	// ImageRegistryCredentials provides credentials that will be used for authentication with registry
+	// +kubebuilder:validation:Optional
+	ImageRegistryCredentials *kyvernov1.ImageRegistryCredentials `json:"imageRegistryCredentials,omitempty" yaml:"imageRegistryCredentials,omitempty"`
+
+	// UseCache enables caching of image verify responses for this rule
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	UseCache bool `json:"useCache" yaml:"useCache"`
 }
 
 // Validate implements programmatic validation
-func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
+func (iv *ImageVerification) Validate(isAuditFailureAction bool, path *field.Path) (errs field.ErrorList) {
 	copy := iv
 
+	if isAuditFailureAction && iv.MutateDigest {
+		errs = append(errs, field.Invalid(path.Child("mutateDigest"), iv.MutateDigest, "mutateDigest must be set to false for ‘Audit’ failure action"))
+	}
+
 	if len(copy.ImageReferences) == 0 {
 		errs = append(errs, field.Invalid(path, iv, "An image reference is required"))
 	}
@@ -67,5 +97,18 @@ func (iv *ImageVerification) Validate(path *field.Path) (errs field.ErrorList) {
 		errs = append(errs, attestorErrors...)
 	}
 
+	if iv.Type == kyvernov1.Notary {
+		for _, attestorSet := range iv.Attestors {
+			for _, attestor := range attestorSet.Entries {
+				if attestor.Keyless != nil {
+					errs = append(errs, field.Invalid(attestorsPath, iv, "Keyless field is not allowed for type notary"))
+				}
+				if attestor.Keys != nil {
+					errs = append(errs, field.Invalid(attestorsPath, iv, "Keys field is not allowed for type notary"))
+				}
+			}
+		}
+	}
+
 	return errs
 }
diff --git a/api/kyverno/v2beta1/match_resources_test.go b/api/kyverno/v2beta1/match_resources_test.go
index a45b55b99966..2f5f27a19dae 100644
--- a/api/kyverno/v2beta1/match_resources_test.go
+++ b/api/kyverno/v2beta1/match_resources_test.go
@@ -53,7 +53,7 @@ func Test_MatchResources(t *testing.T) {
 			}},
 		},
 		errors: []string{
-			`dummy: Invalid value: v2beta1.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}}}}: Can't specify any and all together`,
+			`dummy: Invalid value: v2beta1.MatchResources{Any:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}, All:v1.ResourceFilters{v1.ResourceFilter{UserInfo:v1.UserInfo{Roles:[]string(nil), ClusterRoles:[]string(nil), Subjects:[]v1.Subject{v1.Subject{Kind:"ServiceAccount", APIGroup:"", Name:"sa-1", Namespace:"ns"}}}, ResourceDescription:v1.ResourceDescription{Kinds:[]string(nil), Name:"", Names:[]string(nil), Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}}}}: Can't specify any and all together`,
 		},
 	}}
 
diff --git a/api/kyverno/v2beta1/match_resources_types.go b/api/kyverno/v2beta1/match_resources_types.go
index 4a9af4407ec0..d3a3c995b662 100644
--- a/api/kyverno/v2beta1/match_resources_types.go
+++ b/api/kyverno/v2beta1/match_resources_types.go
@@ -18,6 +18,14 @@ type MatchResources struct {
 	All kyvernov1.ResourceFilters `json:"all,omitempty" yaml:"all,omitempty"`
 }
 
+// GetResourceFilters returns all resource filters
+func (m *MatchResources) GetResourceFilters() kyvernov1.ResourceFilters {
+	var filters kyvernov1.ResourceFilters
+	filters = append(filters, m.All...)
+	filters = append(filters, m.Any...)
+	return filters
+}
+
 // GetKinds returns all kinds
 func (m *MatchResources) GetKinds() []string {
 	var kinds []string
@@ -43,6 +51,24 @@ func (m *MatchResources) ValidateNoUserInfo(path *field.Path) (errs field.ErrorL
 	return errs
 }
 
+// ValidateResourceWithNoUserInfo implements programmatic validation and verifies that no user info is used
+func (m *MatchResources) ValidateResourceWithNoUserInfo(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if len(m.Any) > 0 && len(m.All) > 0 {
+		errs = append(errs, field.Invalid(path, m, "Can't specify any and all together"))
+	}
+	anyPath := path.Child("any")
+	for i, filter := range m.Any {
+		errs = append(errs, filter.UserInfo.ValidateNoUserInfo(anyPath.Index(i))...)
+		errs = append(errs, filter.ResourceDescription.Validate(anyPath.Index(i), namespaced, clusterResources)...)
+	}
+	allPath := path.Child("all")
+	for i, filter := range m.All {
+		errs = append(errs, filter.UserInfo.ValidateNoUserInfo(allPath.Index(i))...)
+		errs = append(errs, filter.ResourceDescription.Validate(allPath.Index(i), namespaced, clusterResources)...)
+	}
+	return errs
+}
+
 // Validate implements programmatic validation
 func (m *MatchResources) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
 	if len(m.Any) > 0 && len(m.All) > 0 {
diff --git a/api/kyverno/v2beta1/policy_exception_types.go b/api/kyverno/v2beta1/policy_exception_types.go
new file mode 100644
index 000000000000..da6695cd2196
--- /dev/null
+++ b/api/kyverno/v2beta1/policy_exception_types.go
@@ -0,0 +1,160 @@
+/*
+Copyright 2022 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package v2beta1
+
+import (
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/ext/wildcard"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:resource:shortName=polex,categories=kyverno
+// +kubebuilder:deprecatedversion
+
+// PolicyException declares resources to be excluded from specified policies.
+type PolicyException struct {
+	metav1.TypeMeta   `json:",inline,omitempty" yaml:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"`
+
+	// Spec declares policy exception behaviors.
+	Spec PolicyExceptionSpec `json:"spec" yaml:"spec"`
+}
+
+// Validate implements programmatic validation
+func (p *PolicyException) Validate() (errs field.ErrorList) {
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"))...)
+	return errs
+}
+
+// Contains returns true if it contains an exception for the given policy/rule pair
+func (p *PolicyException) Contains(policy string, rule string) bool {
+	return p.Spec.Contains(policy, rule)
+}
+
+func (p *PolicyException) GetKind() string {
+	return "PolicyException"
+}
+
+// HasPodSecurity checks if podSecurity controls is specified
+func (p *PolicyException) HasPodSecurity() bool {
+	return len(p.Spec.PodSecurity) > 0
+}
+
+// PolicyExceptionSpec stores policy exception spec
+type PolicyExceptionSpec struct {
+	// Background controls if exceptions are applied to existing policies during a background scan.
+	// Optional. Default value is "true". The value must be set to "false" if the policy rule
+	// uses variables that are only available in the admission review request (e.g. user name).
+	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
+
+	// Match defines match clause used to check if a resource applies to the exception
+	Match MatchResources `json:"match" yaml:"match"`
+
+	// Conditions are used to determine if a resource applies to the exception by evaluating a
+	// set of conditions. The declaration can contain nested `any` or `all` statements.
+	// +optional
+	Conditions *AnyAllConditions `json:"conditions,omitempty"`
+
+	// Exceptions is a list policy/rules to be excluded
+	Exceptions []Exception `json:"exceptions" yaml:"exceptions"`
+
+	// PodSecurity specifies the Pod Security Standard controls to be excluded.
+	// Applicable only to policies that have validate.podSecurity subrule.
+	// +optional
+	PodSecurity []kyvernov1.PodSecurityStandard `json:"podSecurity,omitempty" yaml:"podSecurity,omitempty"`
+}
+
+func (p *PolicyExceptionSpec) BackgroundProcessingEnabled() bool {
+	if p.Background == nil {
+		return true
+	}
+	return *p.Background
+}
+
+// Validate implements programmatic validation
+func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList) {
+	if p.BackgroundProcessingEnabled() {
+		if userErrs := p.Match.ValidateNoUserInfo(path.Child("match")); len(userErrs) > 0 {
+			errs = append(errs, userErrs...)
+		}
+	}
+	errs = append(errs, p.Match.Validate(path.Child("match"), false, nil)...)
+	exceptionsPath := path.Child("exceptions")
+	for i, e := range p.Exceptions {
+		errs = append(errs, e.Validate(exceptionsPath.Index(i))...)
+	}
+
+	podSecuityPath := path.Child("podSecurity")
+	for i, p := range p.PodSecurity {
+		errs = append(errs, p.Validate(podSecuityPath.Index(i))...)
+	}
+	return errs
+}
+
+// Contains returns true if it contains an exception for the given policy/rule pair
+func (p *PolicyExceptionSpec) Contains(policy string, rule string) bool {
+	for _, exception := range p.Exceptions {
+		if exception.Contains(policy, rule) {
+			return true
+		}
+	}
+	return false
+}
+
+// Exception stores infos about a policy and rules
+type Exception struct {
+	// PolicyName identifies the policy to which the exception is applied.
+	// The policy name uses the format / unless it
+	// references a ClusterPolicy.
+	PolicyName string `json:"policyName" yaml:"policyName"`
+
+	// RuleNames identifies the rules to which the exception is applied.
+	RuleNames []string `json:"ruleNames" yaml:"ruleNames"`
+}
+
+// Validate implements programmatic validation
+func (p *Exception) Validate(path *field.Path) (errs field.ErrorList) {
+	if p.PolicyName == "" {
+		errs = append(errs, field.Required(path.Child("policyName"), "An exception requires a policy name"))
+	}
+	return errs
+}
+
+// Contains returns true if it contains an exception for the given policy/rule pair
+func (p *Exception) Contains(policy string, rule string) bool {
+	if p.PolicyName == policy {
+		for _, ruleName := range p.RuleNames {
+			if wildcard.Match(ruleName, rule) {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// PolicyExceptionList is a list of Policy Exceptions
+type PolicyExceptionList struct {
+	metav1.TypeMeta `json:",inline" yaml:",inline"`
+	metav1.ListMeta `json:"metadata" yaml:"metadata"`
+	Items           []PolicyException `json:"items" yaml:"items"`
+}
diff --git a/api/kyverno/v2beta1/policy_test.go b/api/kyverno/v2beta1/policy_test.go
index 7344a0343abb..ab0f3706a6bb 100644
--- a/api/kyverno/v2beta1/policy_test.go
+++ b/api/kyverno/v2beta1/policy_test.go
@@ -3,7 +3,7 @@ package v2beta1
 import (
 	"testing"
 
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/api/kyverno"
 	"gotest.tools/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
@@ -45,7 +45,7 @@ func Test_Policy_Autogen_All(t *testing.T) {
 			Name:      "policy",
 			Namespace: "abcd",
 			Annotations: map[string]string{
-				kyvernov1.PodControllersAnnotation: "all",
+				kyverno.AnnotationAutogenControllers: "all",
 			},
 		},
 	}
diff --git a/api/kyverno/v2beta1/policy_types.go b/api/kyverno/v2beta1/policy_types.go
index d42774053a44..0d3a62675dd8 100644
--- a/api/kyverno/v2beta1/policy_types.go
+++ b/api/kyverno/v2beta1/policy_types.go
@@ -3,6 +3,7 @@ package v2beta1
 import (
 	"strings"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -13,15 +14,16 @@ import (
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
-// +kubebuilder:printcolumn:name="Background",type=boolean,JSONPath=".spec.background"
-// +kubebuilder:printcolumn:name="Validate Action",type=string,JSONPath=".spec.validationFailureAction"
-// +kubebuilder:printcolumn:name="Failure Policy",type=string,JSONPath=".spec.failurePolicy",priority=1
-// +kubebuilder:printcolumn:name="Ready",type=boolean,JSONPath=`.status.ready`
-// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
-// +kubebuilder:printcolumn:name="Validate",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
-// +kubebuilder:printcolumn:name="Mutate",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
-// +kubebuilder:printcolumn:name="Generate",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
-// +kubebuilder:printcolumn:name="Verifyimages",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="ADMISSION",type=boolean,JSONPath=".spec.admission"
+// +kubebuilder:printcolumn:name="BACKGROUND",type=boolean,JSONPath=".spec.background"
+// +kubebuilder:printcolumn:name="READY",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].status`
+// +kubebuilder:printcolumn:name="AGE",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="FAILURE POLICY",type=string,JSONPath=".spec.failurePolicy",priority=1
+// +kubebuilder:printcolumn:name="VALIDATE",type=integer,JSONPath=`.status.rulecount.validate`,priority=1
+// +kubebuilder:printcolumn:name="MUTATE",type=integer,JSONPath=`.status.rulecount.mutate`,priority=1
+// +kubebuilder:printcolumn:name="GENERATE",type=integer,JSONPath=`.status.rulecount.generate`,priority=1
+// +kubebuilder:printcolumn:name="VERIFY IMAGES",type=integer,JSONPath=`.status.rulecount.verifyimages`,priority=1
+// +kubebuilder:printcolumn:name="MESSAGE",type=string,JSONPath=`.status.conditions[?(@.type == "Ready")].message`
 // +kubebuilder:resource:shortName=pol,categories=kyverno
 
 // Policy declares validation, mutation, and generation behaviors for matching resources.
@@ -41,7 +43,7 @@ type Policy struct {
 // HasAutoGenAnnotation checks if a policy has auto-gen annotation
 func (p *Policy) HasAutoGenAnnotation() bool {
 	annotations := p.GetAnnotations()
-	val, ok := annotations[kyvernov1.PodControllersAnnotation]
+	val, ok := annotations[kyverno.AnnotationAutogenControllers]
 	if ok && strings.ToLower(val) != "none" {
 		return true
 	}
@@ -78,6 +80,11 @@ func (p *Policy) HasVerifyImages() bool {
 	return p.Spec.HasVerifyImages()
 }
 
+// AdmissionProcessingEnabled checks if admission is set to true
+func (p *Policy) AdmissionProcessingEnabled() bool {
+	return p.Spec.AdmissionProcessingEnabled()
+}
+
 // BackgroundProcessingEnabled checks if background is set to true
 func (p *Policy) BackgroundProcessingEnabled() bool {
 	return p.Spec.BackgroundProcessingEnabled()
@@ -104,7 +111,7 @@ func (p *Policy) IsReady() bool {
 func (p *Policy) Validate(clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, kyvernov1.ValidateAutogenAnnotation(field.NewPath("metadata").Child("annotations"), p.GetAnnotations())...)
 	errs = append(errs, kyvernov1.ValidatePolicyName(field.NewPath("name"), p.Name)...)
-	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), clusterResources)...)
+	errs = append(errs, p.Spec.Validate(field.NewPath("spec"), p.IsNamespaced(), p.Namespace, clusterResources)...)
 	return errs
 }
 
diff --git a/api/kyverno/v2beta1/register.go b/api/kyverno/v2beta1/register.go
deleted file mode 100755
index 4729045fa414..000000000000
--- a/api/kyverno/v2beta1/register.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package v2beta1
-
-import (
-	"github.com/kyverno/kyverno/api/kyverno"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v2beta1"}
-
-// Kind takes an unqualified kind and returns back a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	// SchemeBuilder builds the scheme
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
-
-	// AddToScheme adds all types of this clientset into the given scheme
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to Scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&ClusterPolicy{},
-		&ClusterPolicyList{},
-		&Policy{},
-		&PolicyList{},
-	)
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/api/kyverno/v2beta1/resource_description_test.go b/api/kyverno/v2beta1/resource_description_test.go
index 782945f1e871..7ec248a11970 100644
--- a/api/kyverno/v2beta1/resource_description_test.go
+++ b/api/kyverno/v2beta1/resource_description_test.go
@@ -25,7 +25,7 @@ func Test_ResourceDescription(t *testing.T) {
 			Names: []string{"bar", "baz"},
 		},
 		errors: []string{
-			`dummy: Invalid value: v2beta1.ResourceDescription{Kinds:[]string(nil), Names:[]string{"bar", "baz"}, Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil)}: Both name and names can not be specified together`,
+			`dummy: Invalid value: v2beta1.ResourceDescription{Kinds:[]string(nil), Names:[]string{"bar", "baz"}, Namespaces:[]string(nil), Annotations:map[string]string(nil), Selector:(*v1.LabelSelector)(nil), NamespaceSelector:(*v1.LabelSelector)(nil), Operations:[]v1.AdmissionOperation(nil)}: Both name and names can not be specified together`,
 		},
 	}, {
 		name:       "selector",
diff --git a/api/kyverno/v2beta1/resource_description_types.go b/api/kyverno/v2beta1/resource_description_types.go
index 1083eda69ab5..aaa7cb518f00 100644
--- a/api/kyverno/v2beta1/resource_description_types.go
+++ b/api/kyverno/v2beta1/resource_description_types.go
@@ -3,6 +3,7 @@ package v2beta1
 import (
 	"fmt"
 
+	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -45,6 +46,18 @@ type ResourceDescription struct {
 	// does not match an empty label set.
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"`
+
+	// Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action.
+	// +optional
+	Operations []kyvernov1.AdmissionOperation `json:"operations,omitempty" yaml:"operations,omitempty"`
+}
+
+func (r ResourceDescription) GetOperations() []string {
+	ops := []string{}
+	for _, op := range r.Operations {
+		ops = append(ops, string(op))
+	}
+	return ops
 }
 
 // Validate implements programmatic validation
diff --git a/api/kyverno/v2beta1/rule_test.go b/api/kyverno/v2beta1/rule_test.go
index 1114a18023a3..1a00c058eade 100644
--- a/api/kyverno/v2beta1/rule_test.go
+++ b/api/kyverno/v2beta1/rule_test.go
@@ -13,7 +13,7 @@ func Test_Validate_RuleType_EmptyRule(t *testing.T) {
 		Name: "validate-user-privilege",
 	}
 	path := field.NewPath("dummy")
-	errs := subject.Validate(path, false, nil)
+	errs := subject.Validate(path, false, "", nil)
 	assert.Equal(t, len(errs), 1)
 	assert.Equal(t, errs[0].Field, "dummy")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
@@ -94,7 +94,7 @@ func Test_Validate_RuleType_MultipleRule(t *testing.T) {
 	assert.NilError(t, err)
 	for _, rule := range policy.Spec.Rules {
 		path := field.NewPath("dummy")
-		errs := rule.Validate(path, false, nil)
+		errs := rule.Validate(path, false, "", nil)
 		assert.Assert(t, len(errs) != 0)
 	}
 }
@@ -153,7 +153,7 @@ func Test_Validate_RuleType_SingleRule(t *testing.T) {
 	assert.NilError(t, err)
 	for _, rule := range policy.Spec.Rules {
 		path := field.NewPath("dummy")
-		errs := rule.Validate(path, false, nil)
+		errs := rule.Validate(path, false, "", nil)
 		assert.Assert(t, len(errs) == 0)
 	}
 }
@@ -235,3 +235,306 @@ func Test_doesMatchExcludeConflict(t *testing.T) {
 		}
 	}
 }
+
+func Test_Validate_ClusterPolicy_Generate_Variables(t *testing.T) {
+	path := field.NewPath("dummy")
+	testcases := []struct {
+		name       string
+		rule       []byte
+		shouldFail bool
+	}{
+		{
+			name: "clone-name",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "regcred",
+					"namespace": "test",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "{{request.object.metadata.name}}"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "clone-namespace",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "regcred",
+					"namespace": "test",
+					"synchronize": true,
+					"clone": {
+						"namespace": "{{request.object.metadata.name}}",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "cloneList-namespace",
+			rule: []byte(`
+			{
+				"name": "sync-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"namespace": "test",
+					"synchronize": true,
+					"cloneList": {
+						"namespace": "{{request.object.metadata.name}}",
+						"kinds": [
+							"v1/Secret",
+							"v1/ConfigMap"
+						],
+						"selector": {
+							"matchLabels": {
+								"allowedToBeCloned": "true"
+							}
+						}
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "cloneList-kinds",
+			rule: []byte(`
+			{
+				"name": "sync-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"namespace": "test",
+					"synchronize": true,
+					"cloneList": {
+						"namespace": "default",
+						"kinds": [
+							"{{request.object.metadata.kind}}",
+							"v1/ConfigMap"
+						],
+						"selector": {
+							"matchLabels": {
+								"allowedToBeCloned": "true"
+							}
+						}
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "cloneList-selector",
+			rule: []byte(`
+			{
+				"name": "sync-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"namespace": "test",
+					"synchronize": true,
+					"cloneList": {
+						"namespace": "default",
+						"kinds": [
+							"v1/Secret",
+							"v1/ConfigMap"
+						],
+						"selector": {
+							"matchLabels": {
+								"{{request.object.metadata.name}}": "clone"
+							}
+						}
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "generate-downstream-namespace",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "regcred",
+					"namespace": "{{request.object.metadata.name}}",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: false,
+		},
+		{
+			name: "generate-downstream-kind",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "{{request.object.metadata.kind}}",
+					"name": "regcred",
+					"namespace": "default",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "generate-downstream-apiversion",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"kind": "Secret",
+					"apiVersion": "{{request.object.metadata.apiVersion}}",
+					"name": "regcred",
+					"namespace": "default",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: true,
+		},
+		{
+			name: "generate-downstream-name",
+			rule: []byte(`
+			{
+				"name": "clone-secret",
+				"match": {
+					"any": [
+						{
+							"resources": {
+								"kinds": [
+									"Namespace"
+								]
+							}
+						}
+					]
+				},
+				"generate": {
+					"apiVersion": "v1",
+					"kind": "Secret",
+					"name": "{{request.object.metadata.name}}",
+					"namespace": "default",
+					"synchronize": true,
+					"clone": {
+						"namespace": "default",
+						"name": "regcred"
+					}
+				}
+			}`),
+			shouldFail: false,
+		},
+	}
+
+	for _, testcase := range testcases {
+		var rule *Rule
+		err := json.Unmarshal(testcase.rule, &rule)
+		assert.NilError(t, err, testcase.name)
+		errs := rule.ValidateGenerate(path, false, "", nil)
+		assert.Equal(t, len(errs) != 0, testcase.shouldFail, testcase.name)
+	}
+}
diff --git a/api/kyverno/v2beta1/rule_types.go b/api/kyverno/v2beta1/rule_types.go
index 0c948cba8013..5793b622b724 100644
--- a/api/kyverno/v2beta1/rule_types.go
+++ b/api/kyverno/v2beta1/rule_types.go
@@ -2,9 +2,10 @@ package v2beta1
 
 import (
 	"fmt"
-	"reflect"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	datautils "github.com/kyverno/kyverno/pkg/utils/data"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -15,7 +16,7 @@ import (
 type Rule struct {
 	// Name is a label to identify the rule, It must be unique within the policy.
 	// +kubebuilder:validation:MaxLength=63
-	Name string `json:"name,omitempty" yaml:"name,omitempty"`
+	Name string `json:"name" yaml:"name"`
 
 	// Context defines variables and data sources that can be used during rule execution.
 	// +optional
@@ -39,12 +40,16 @@ type Rule struct {
 	ImageExtractors kyvernov1.ImageExtractorConfigs `json:"imageExtractors,omitempty" yaml:"imageExtractors,omitempty"`
 
 	// Preconditions are used to determine if a policy rule should be applied by evaluating a
-	// set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
-	// of conditions (without `any` or `all` statements is supported for backwards compatibility but
+	// set of conditions. The declaration can contain nested `any` or `all` statements.
 	// See: https://kyverno.io/docs/writing-policies/preconditions/
 	// +optional
 	RawAnyAllConditions *AnyAllConditions `json:"preconditions,omitempty" yaml:"preconditions,omitempty"`
 
+	// CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+	// set of CEL conditions. It can only be used with the validate.cel subrule
+	// +optional
+	CELPreconditions []admissionregistrationv1.MatchCondition `json:"celPreconditions,omitempty" yaml:"celPreconditions,omitempty"`
+
 	// Mutation is used to modify matching resources.
 	// +optional
 	Mutation kyvernov1.Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"`
@@ -60,72 +65,83 @@ type Rule struct {
 	// VerifyImages is used to verify image signatures and mutate them to add a digest
 	// +optional
 	VerifyImages []ImageVerification `json:"verifyImages,omitempty" yaml:"verifyImages,omitempty"`
+
+	// SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+	// The default value is set to "true", it must be set to "false" to apply
+	// generate and mutateExisting rules to those requests.
+	// +kubebuilder:default=true
+	// +kubebuilder:validation:Optional
+	SkipBackgroundRequests bool `json:"skipBackgroundRequests,omitempty" yaml:"skipBackgroundRequests,omitempty"`
 }
 
 // HasMutate checks for mutate rule
 func (r *Rule) HasMutate() bool {
-	return !reflect.DeepEqual(r.Mutation, kyvernov1.Mutation{})
+	return !datautils.DeepEqual(r.Mutation, kyvernov1.Mutation{})
 }
 
-// HasVerifyImages checks for verifyImages rule
-func (r *Rule) HasVerifyImages() bool {
-	return r.VerifyImages != nil && !reflect.DeepEqual(r.VerifyImages, ImageVerification{})
+// HasMutate checks for standard admission mutate rule
+func (r *Rule) HasMutateStandard() bool {
+	if r.HasMutateExisting() {
+		return false
+	}
+	return !datautils.DeepEqual(r.Mutation, kyvernov1.Mutation{})
 }
 
-// HasYAMLSignatureVerify checks for validate.manifests rule
-func (r Rule) HasYAMLSignatureVerify() bool {
-	return r.Validation.Manifests != nil && len(r.Validation.Manifests.Attestors) != 0
+// HasMutateExisting checks if the mutate rule applies to existing resources
+func (r *Rule) HasMutateExisting() bool {
+	return r.Mutation.Targets != nil
 }
 
-// HasImagesValidationChecks checks whether the verifyImages rule has validation checks
-func (r *Rule) HasImagesValidationChecks() bool {
-	for _, v := range r.VerifyImages {
-		if v.VerifyDigest || v.Required {
+// HasVerifyImages checks for verifyImages rule
+func (r *Rule) HasVerifyImages() bool {
+	for _, verifyImage := range r.VerifyImages {
+		if !datautils.DeepEqual(verifyImage, ImageVerification{}) {
 			return true
 		}
 	}
-
 	return false
 }
 
-// HasYAMLSignatureVerify checks for validate rule
-func (p *ClusterPolicy) HasYAMLSignatureVerify() bool {
-	for _, rule := range p.Spec.Rules {
-		if rule.HasYAMLSignatureVerify() {
+// HasVerifyImageChecks checks whether the verifyImages rule has validation checks
+func (r *Rule) HasVerifyImageChecks() bool {
+	for _, v := range r.VerifyImages {
+		if v.VerifyDigest || v.Required {
 			return true
 		}
 	}
-
 	return false
 }
 
+// HasVerifyManifests checks for validate.manifests rule
+func (r Rule) HasVerifyManifests() bool {
+	return r.Validation.Manifests != nil && len(r.Validation.Manifests.Attestors) != 0
+}
+
+// HasValidatePodSecurity checks for validate.podSecurity rule
+func (r Rule) HasValidatePodSecurity() bool {
+	return r.Validation.PodSecurity != nil && !datautils.DeepEqual(r.Validation.PodSecurity, &kyvernov1.PodSecurity{})
+}
+
+// HasValidateCEL checks for validate.cel rule
+func (r *Rule) HasValidateCEL() bool {
+	return r.Validation.CEL != nil && !datautils.DeepEqual(r.Validation.CEL, &kyvernov1.CEL{})
+}
+
 // HasValidate checks for validate rule
 func (r *Rule) HasValidate() bool {
-	return !reflect.DeepEqual(r.Validation, Validation{})
+	return !datautils.DeepEqual(r.Validation, Validation{})
 }
 
 // HasGenerate checks for generate rule
 func (r *Rule) HasGenerate() bool {
-	return !reflect.DeepEqual(r.Generation, kyvernov1.Generation{})
-}
-
-// IsMutateExisting checks if the mutate rule applies to existing resources
-func (r *Rule) IsMutateExisting() bool {
-	return r.Mutation.Targets != nil
+	return !datautils.DeepEqual(r.Generation, kyvernov1.Generation{})
 }
 
-// IsCloneSyncGenerate checks if the generate rule has the clone block with sync=true
-func (r *Rule) GetCloneSyncForGenerate() (clone bool, sync bool) {
+func (r *Rule) GetGenerateTypeAndSync() (_ kyvernov1.GenerateType, sync bool, orphanDownstream bool) {
 	if !r.HasGenerate() {
 		return
 	}
-
-	if r.Generation.Clone.Name != "" {
-		clone = true
-	}
-
-	sync = r.Generation.Synchronize
-	return
+	return r.Generation.GetTypeAndSyncAndOrphanDownstream()
 }
 
 // ValidateRuleType checks only one type of rule is defined per rule
@@ -158,27 +174,36 @@ func (r *Rule) ValidateMatchExcludeConflict(path *field.Path) (errs field.ErrorL
 	if len(r.MatchResources.Any) > 0 && len(r.ExcludeResources.Any) > 0 {
 		for _, rmr := range r.MatchResources.Any {
 			for _, rer := range r.ExcludeResources.Any {
-				if reflect.DeepEqual(rmr, rer) {
+				if datautils.DeepEqual(rmr, rer) {
 					return append(errs, field.Invalid(path, r, "Rule is matching an empty set"))
 				}
 			}
 		}
 		return errs
 	}
-	if reflect.DeepEqual(r.ExcludeResources.Any, r.MatchResources.Any) {
+	if datautils.DeepEqual(r.ExcludeResources.Any, r.MatchResources.Any) {
 		return errs
 	}
-	if reflect.DeepEqual(r.ExcludeResources.All, r.MatchResources.All) {
+	if datautils.DeepEqual(r.ExcludeResources.All, r.MatchResources.All) {
 		return errs
 	}
 	return append(errs, field.Invalid(path, r, "Rule is matching an empty set"))
 }
 
+func (r *Rule) ValidateGenerate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if !r.HasGenerate() {
+		return nil
+	}
+
+	return r.Generation.Validate(path, namespaced, policyNamespace, clusterResources)
+}
+
 // Validate implements programmatic validation
-func (r *Rule) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+func (r *Rule) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, r.ValidateRuleType(path)...)
 	errs = append(errs, r.ValidateMatchExcludeConflict(path)...)
 	errs = append(errs, r.MatchResources.Validate(path.Child("match"), namespaced, clusterResources)...)
 	errs = append(errs, r.ExcludeResources.Validate(path.Child("exclude"), namespaced, clusterResources)...)
+	errs = append(errs, r.ValidateGenerate(path, namespaced, policyNamespace, clusterResources)...)
 	return errs
 }
diff --git a/api/kyverno/v2beta1/spec_test.go b/api/kyverno/v2beta1/spec_test.go
index 4575edcf736c..69da20f9388c 100644
--- a/api/kyverno/v2beta1/spec_test.go
+++ b/api/kyverno/v2beta1/spec_test.go
@@ -3,9 +3,9 @@ package v2beta1
 import (
 	"testing"
 
+	"github.com/kyverno/kyverno/api/kyverno"
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
 	"gotest.tools/assert"
-	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
 
@@ -23,10 +23,8 @@ func Test_Validate_UniqueRuleName(t *testing.T) {
 				}},
 			},
 			Validation: Validation{
-				Message: "message",
-				RawAnyPattern: &apiextv1.JSON{
-					Raw: []byte("{"),
-				},
+				Message:       "message",
+				RawAnyPattern: kyverno.ToAny("{"),
 			},
 		}, {
 			Name: "deny-privileged-disallowpriviligedescalation",
@@ -39,15 +37,13 @@ func Test_Validate_UniqueRuleName(t *testing.T) {
 					}},
 				}},
 			Validation: Validation{
-				Message: "message",
-				RawAnyPattern: &apiextv1.JSON{
-					Raw: []byte("{"),
-				},
+				Message:       "message",
+				RawAnyPattern: kyverno.ToAny("{"),
 			},
 		}},
 	}
 	path := field.NewPath("dummy")
-	errs := subject.Validate(path, false, nil)
+	errs := subject.Validate(path, false, "", nil)
 	assert.Equal(t, len(errs), 1)
 	assert.Equal(t, errs[0].Field, "dummy.rules[1].name")
 	assert.Equal(t, errs[0].Type, field.ErrorTypeInvalid)
diff --git a/api/kyverno/v2beta1/spec_types.go b/api/kyverno/v2beta1/spec_types.go
index a4b5d9a1f3bc..11f72bf2b33b 100644
--- a/api/kyverno/v2beta1/spec_types.go
+++ b/api/kyverno/v2beta1/spec_types.go
@@ -1,9 +1,11 @@
 package v2beta1
 
 import (
+	"context"
 	"fmt"
 
 	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
+	"github.com/kyverno/kyverno/pkg/toggle"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 )
@@ -21,26 +23,23 @@ type Spec struct {
 	// +optional
 	ApplyRules *kyvernov1.ApplyRulesType `json:"applyRules,omitempty" yaml:"applyRules,omitempty"`
 
-	// FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
-	// Rules within the same policy share the same failure behavior.
-	// Allowed values are Ignore or Fail. Defaults to Fail.
-	// +optional
+	// Deprecated, use failurePolicy under the webhookConfiguration instead.
 	FailurePolicy *kyvernov1.FailurePolicyType `json:"failurePolicy,omitempty" yaml:"failurePolicy,omitempty"`
 
-	// ValidationFailureAction defines if a validation policy rule violation should block
-	// the admission review request (enforce), or allow (audit) the admission review request
-	// and report an error in a policy report. Optional.
-	// Allowed values are audit or enforce. The default value is "Audit".
-	// +optional
+	// Deprecated, use validationFailureAction under the validate rule instead.
 	// +kubebuilder:validation:Enum=audit;enforce;Audit;Enforce
 	// +kubebuilder:default=Audit
 	ValidationFailureAction kyvernov1.ValidationFailureAction `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"`
 
-	// ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
-	// namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
-	// +optional
+	// Deprecated, use validationFailureActionOverrides under the validate rule instead.
 	ValidationFailureActionOverrides []kyvernov1.ValidationFailureActionOverride `json:"validationFailureActionOverrides,omitempty" yaml:"validationFailureActionOverrides,omitempty"`
 
+	// Admission controls if rules are applied during admission.
+	// Optional. Default value is "true".
+	// +optional
+	// +kubebuilder:default=true
+	Admission *bool `json:"admission,omitempty" yaml:"admission,omitempty"`
+
 	// Background controls if rules are applied to existing resources during a background scan.
 	// Optional. Default value is "true". The value must be set to "false" if the policy rule
 	// uses variables that are only available in the admission review request (e.g. user name).
@@ -48,26 +47,36 @@ type Spec struct {
 	// +kubebuilder:default=true
 	Background *bool `json:"background,omitempty" yaml:"background,omitempty"`
 
-	// SchemaValidation skips validation checks for policies as well as patched resources.
-	// Optional. The default value is set to "true", it must be set to "false" to disable the validation checks.
-	// +optional
+	// Deprecated.
 	SchemaValidation *bool `json:"schemaValidation,omitempty" yaml:"schemaValidation,omitempty"`
 
-	// WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
-	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
-	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+	// Deprecated, use webhookTimeoutSeconds under webhookConfiguration instead.
 	WebhookTimeoutSeconds *int32 `json:"webhookTimeoutSeconds,omitempty" yaml:"webhookTimeoutSeconds,omitempty"`
 
-	// MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events.
-	// Default value is "false".
+	// Deprecated, use mutateExistingOnPolicyUpdate under the mutate rule instead
 	// +optional
 	MutateExistingOnPolicyUpdate bool `json:"mutateExistingOnPolicyUpdate,omitempty" yaml:"mutateExistingOnPolicyUpdate,omitempty"`
 
-	// GenerateExistingOnPolicyUpdate controls whether to trigger generate rule in existing resources
-	// If is set to "true" generate rule will be triggered and applied to existing matched resources.
+	// Deprecated, use generateExisting instead
+	// +optional
+	GenerateExistingOnPolicyUpdate *bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
+
+	// Deprecated, use generateExisting under the generate rule instead
+	GenerateExisting bool `json:"generateExisting,omitempty" yaml:"generateExisting,omitempty"`
+
+	// UseServerSideApply controls whether to use server-side apply for generate rules
+	// If is set to "true" create & update for generate rules will use apply instead of create/update.
 	// Defaults to "false" if not specified.
 	// +optional
-	GenerateExistingOnPolicyUpdate bool `json:"generateExistingOnPolicyUpdate,omitempty" yaml:"generateExistingOnPolicyUpdate,omitempty"`
+	UseServerSideApply bool `json:"useServerSideApply,omitempty" yaml:"useServerSideApply,omitempty"`
+
+	// WebhookConfiguration specifies the custom configuration for Kubernetes admission webhookconfiguration.
+	// +optional
+	WebhookConfiguration *kyvernov1.WebhookConfiguration `json:"webhookConfiguration,omitempty" yaml:"webhookConfiguration,omitempty"`
+}
+
+func (s *Spec) CustomWebhookMatchConditions() bool {
+	return s.WebhookConfiguration != nil && len(s.WebhookConfiguration.MatchConditions) != 0
 }
 
 func (s *Spec) SetRules(rules []Rule) {
@@ -95,6 +104,26 @@ func (s *Spec) HasMutate() bool {
 	return false
 }
 
+// HasMutate checks for standard admission mutate rule
+func (s *Spec) HasMutateStandard() bool {
+	for _, rule := range s.Rules {
+		if rule.HasMutateStandard() {
+			return true
+		}
+	}
+	return false
+}
+
+// HasMutate checks for mutate existing rule types
+func (s *Spec) HasMutateExisting() bool {
+	for _, rule := range s.Rules {
+		if rule.HasMutateExisting() {
+			return true
+		}
+	}
+	return false
+}
+
 // HasValidate checks for validate rule types
 func (s *Spec) HasValidate() bool {
 	for _, rule := range s.Rules {
@@ -106,6 +135,19 @@ func (s *Spec) HasValidate() bool {
 	return false
 }
 
+// HasValidateEnforce checks if the policy has any validate rules with enforce action
+func (s *Spec) HasValidateEnforce() bool {
+	for _, rule := range s.Rules {
+		if rule.HasValidate() {
+			action := rule.Validation.ValidationFailureAction
+			if action != nil && action.Enforce() {
+				return true
+			}
+		}
+	}
+	return s.ValidationFailureAction.Enforce()
+}
+
 // HasGenerate checks for generate rule types
 func (s *Spec) HasGenerate() bool {
 	for _, rule := range s.Rules {
@@ -117,10 +159,10 @@ func (s *Spec) HasGenerate() bool {
 	return false
 }
 
-// HasImagesValidationChecks checks for image verification rules invoked during resource validation
-func (s *Spec) HasImagesValidationChecks() bool {
+// HasVerifyImageChecks checks for image verification rules invoked during resource validation
+func (s *Spec) HasVerifyImageChecks() bool {
 	for _, rule := range s.Rules {
-		if rule.HasImagesValidationChecks() {
+		if rule.HasVerifyImageChecks() {
 			return true
 		}
 	}
@@ -139,10 +181,10 @@ func (s *Spec) HasVerifyImages() bool {
 	return false
 }
 
-// HasYAMLSignatureVerify checks for image verification rules invoked during resource mutation
-func (s *Spec) HasYAMLSignatureVerify() bool {
+// HasVerifyManifests checks for image verification rules invoked during resource mutation
+func (s *Spec) HasVerifyManifests() bool {
 	for _, rule := range s.Rules {
-		if rule.HasYAMLSignatureVerify() {
+		if rule.HasVerifyManifests() {
 			return true
 		}
 	}
@@ -150,6 +192,15 @@ func (s *Spec) HasYAMLSignatureVerify() bool {
 	return false
 }
 
+// AdmissionProcessingEnabled checks if admission is set to true
+func (s *Spec) AdmissionProcessingEnabled() bool {
+	if s.Admission == nil {
+		return true
+	}
+
+	return *s.Admission
+}
+
 // BackgroundProcessingEnabled checks if background is set to true
 func (s *Spec) BackgroundProcessingEnabled() bool {
 	if s.Background == nil {
@@ -159,35 +210,55 @@ func (s *Spec) BackgroundProcessingEnabled() bool {
 	return *s.Background
 }
 
-// IsMutateExisting checks if the mutate policy applies to existing resources
-func (s *Spec) IsMutateExisting() bool {
+// GetMutateExistingOnPolicyUpdate returns true if any of the rules have MutateExistingOnPolicyUpdate set to true
+func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
 	for _, rule := range s.Rules {
-		if rule.IsMutateExisting() {
-			return true
+		if rule.HasMutate() {
+			isMutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate
+			if isMutateExisting != nil && *isMutateExisting {
+				return true
+			}
 		}
 	}
-	return false
-}
-
-// GetMutateExistingOnPolicyUpdate return MutateExistingOnPolicyUpdate set value
-func (s *Spec) GetMutateExistingOnPolicyUpdate() bool {
 	return s.MutateExistingOnPolicyUpdate
 }
 
-// IsGenerateExistingOnPolicyUpdate return GenerateExistingOnPolicyUpdate set value
-func (s *Spec) IsGenerateExistingOnPolicyUpdate() bool {
-	return s.GenerateExistingOnPolicyUpdate
+// IsGenerateExisting returns true if any of the generate rules has generateExisting set to true
+func (s *Spec) IsGenerateExisting() bool {
+	for _, rule := range s.Rules {
+		if rule.HasGenerate() {
+			isGenerateExisting := rule.Generation.GenerateExisting
+			if isGenerateExisting != nil && *isGenerateExisting {
+				return true
+			}
+		}
+	}
+	return s.GenerateExisting
 }
 
 // GetFailurePolicy returns the failure policy to be applied
-func (s *Spec) GetFailurePolicy() kyvernov1.FailurePolicyType {
-	if s.FailurePolicy == nil {
-		return kyvernov1.Fail
+func (s *Spec) GetFailurePolicy(ctx context.Context) kyvernov1.FailurePolicyType {
+	if toggle.FromContext(ctx).ForceFailurePolicyIgnore() {
+		return kyvernov1.Ignore
+	} else if s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		return *s.WebhookConfiguration.FailurePolicy
+	} else if s.FailurePolicy != nil {
+		return *s.FailurePolicy
 	}
-	return *s.FailurePolicy
+	return kyvernov1.Fail
 }
 
-// GetFailurePolicy returns the failure policy to be applied
+func (s *Spec) GetWebhookTimeoutSeconds() *int32 {
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		return s.WebhookConfiguration.TimeoutSeconds
+	}
+	if s.WebhookTimeoutSeconds != nil {
+		return s.WebhookTimeoutSeconds
+	}
+	return nil
+}
+
+// GetApplyRules returns the apply rules type
 func (s *Spec) GetApplyRules() kyvernov1.ApplyRulesType {
 	if s.ApplyRules == nil {
 		return kyvernov1.ApplyAll
@@ -209,17 +280,59 @@ func (s *Spec) ValidateRuleNames(path *field.Path) (errs field.ErrorList) {
 }
 
 // ValidateRules implements programmatic validation of Rules
-func (s *Spec) ValidateRules(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
+func (s *Spec) ValidateRules(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
 	errs = append(errs, s.ValidateRuleNames(path)...)
 	for i, rule := range s.Rules {
-		errs = append(errs, rule.Validate(path.Index(i), namespaced, clusterResources)...)
+		errs = append(errs, rule.Validate(path.Index(i), namespaced, policyNamespace, clusterResources)...)
+	}
+	return errs
+}
+
+func (s *Spec) ValidateDeprecatedFields(path *field.Path) (errs field.ErrorList) {
+	if s.WebhookTimeoutSeconds != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil {
+		errs = append(errs, field.Forbidden(path.Child("webhookTimeoutSeconds"), "remove the deprecated field and use spec.webhookConfiguration.timeoutSeconds instead"))
+	}
+
+	if s.FailurePolicy != nil && s.WebhookConfiguration != nil && s.WebhookConfiguration.FailurePolicy != nil {
+		errs = append(errs, field.Forbidden(path.Child("failurePolicy"), "remove the deprecated field and use spec.webhookConfiguration.failurePolicy instead"))
+	}
+
+	if s.GenerateExistingOnPolicyUpdate != nil {
+		errs = append(errs, field.Forbidden(path.Child("generateExistingOnPolicyUpdate"), "remove the deprecated field and use spec.generate[*].generateExisting instead"))
+	}
+	return errs
+}
+
+func (s *Spec) validateMutateTargets(path *field.Path) (errs field.ErrorList) {
+	for i, rule := range s.Rules {
+		if !rule.HasMutate() {
+			continue
+		}
+		mutateExisting := rule.Mutation.MutateExistingOnPolicyUpdate
+		if s.MutateExistingOnPolicyUpdate || (mutateExisting != nil && *mutateExisting) {
+			if len(rule.Mutation.Targets) == 0 {
+				errs = append(errs, field.Forbidden(path.Child("mutateExistingOnPolicyUpdate"), fmt.Sprintf("rules[%v].mutate.targets has to be specified when mutateExistingOnPolicyUpdate is set", i)))
+			}
+		}
 	}
 	return errs
 }
 
 // Validate implements programmatic validation
-func (s *Spec) Validate(path *field.Path, namespaced bool, clusterResources sets.Set[string]) (errs field.ErrorList) {
-	errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, clusterResources)...)
+func (s *Spec) Validate(path *field.Path, namespaced bool, policyNamespace string, clusterResources sets.Set[string]) (errs field.ErrorList) {
+	if err := s.ValidateDeprecatedFields(path); err != nil {
+		errs = append(errs, err...)
+	}
+	if err := s.validateMutateTargets(path); err != nil {
+		errs = append(errs, err...)
+	}
+	if s.WebhookTimeoutSeconds != nil && (*s.WebhookTimeoutSeconds < 1 || *s.WebhookTimeoutSeconds > 30) {
+		errs = append(errs, field.Invalid(path.Child("webhookTimeoutSeconds"), s.WebhookTimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
+	if s.WebhookConfiguration != nil && s.WebhookConfiguration.TimeoutSeconds != nil && (*s.WebhookConfiguration.TimeoutSeconds < 1 || *s.WebhookConfiguration.TimeoutSeconds > 30) {
+		errs = append(errs, field.Invalid(path.Child("webhookConfiguration.timeoutSeconds"), s.WebhookConfiguration.TimeoutSeconds, "the timeout value must be between 1 and 30 seconds"))
+	}
+	errs = append(errs, s.ValidateRules(path.Child("rules"), namespaced, policyNamespace, clusterResources)...)
 	if namespaced && len(s.ValidationFailureActionOverrides) > 0 {
 		errs = append(errs, field.Forbidden(path.Child("validationFailureActionOverrides"), "Use of validationFailureActionOverrides is supported only with ClusterPolicy"))
 	}
diff --git a/api/kyverno/v2beta1/zz_generated.deepcopy.go b/api/kyverno/v2beta1/zz_generated.deepcopy.go
index 9e09ed434e88..d1151867693c 100755
--- a/api/kyverno/v2beta1/zz_generated.deepcopy.go
+++ b/api/kyverno/v2beta1/zz_generated.deepcopy.go
@@ -17,15 +17,15 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by controller-gen. DO NOT EDIT.
+// Code generated by deepcopy-gen. DO NOT EDIT.
 
 package v2beta1
 
 import (
 	v1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -45,6 +45,7 @@ func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
@@ -57,6 +58,186 @@ func (in *AnyAllConditions) DeepCopy() *AnyAllConditions {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicy) DeepCopyInto(out *CleanupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicy.
+func (in *CleanupPolicy) DeepCopy() *CleanupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyList) DeepCopyInto(out *CleanupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CleanupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyList.
+func (in *CleanupPolicyList) DeepCopy() *CleanupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *CleanupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicySpec) DeepCopyInto(out *CleanupPolicySpec) {
+	*out = *in
+	if in.Context != nil {
+		in, out := &in.Context, &out.Context
+		*out = make([]v1.ContextEntry, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.MatchResources.DeepCopyInto(&out.MatchResources)
+	if in.ExcludeResources != nil {
+		in, out := &in.ExcludeResources, &out.ExcludeResources
+		*out = new(MatchResources)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = new(AnyAllConditions)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicySpec.
+func (in *CleanupPolicySpec) DeepCopy() *CleanupPolicySpec {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicySpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CleanupPolicyStatus) DeepCopyInto(out *CleanupPolicyStatus) {
+	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]metav1.Condition, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	in.LastExecutionTime.DeepCopyInto(&out.LastExecutionTime)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CleanupPolicyStatus.
+func (in *CleanupPolicyStatus) DeepCopy() *CleanupPolicyStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(CleanupPolicyStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicy) DeepCopyInto(out *ClusterCleanupPolicy) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicy.
+func (in *ClusterCleanupPolicy) DeepCopy() *ClusterCleanupPolicy {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCleanupPolicy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicy) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterCleanupPolicyList) DeepCopyInto(out *ClusterCleanupPolicyList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterCleanupPolicy, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCleanupPolicyList.
+func (in *ClusterCleanupPolicyList) DeepCopy() *ClusterCleanupPolicyList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterCleanupPolicyList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterCleanupPolicyList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy) {
 	*out = *in
@@ -64,6 +245,7 @@ func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.
@@ -96,6 +278,7 @@ func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.
@@ -121,14 +304,13 @@ func (in *Condition) DeepCopyInto(out *Condition) {
 	*out = *in
 	if in.RawKey != nil {
 		in, out := &in.RawKey, &out.RawKey
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
 	if in.RawValue != nil {
 		in, out := &in.RawValue, &out.RawValue
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
@@ -149,6 +331,7 @@ func (in *Deny) DeepCopyInto(out *Deny) {
 		*out = new(AnyAllConditions)
 		(*in).DeepCopyInto(*out)
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.
@@ -161,14 +344,45 @@ func (in *Deny) DeepCopy() *Deny {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Exception) DeepCopyInto(out *Exception) {
+	*out = *in
+	if in.RuleNames != nil {
+		in, out := &in.RuleNames, &out.RuleNames
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Exception.
+func (in *Exception) DeepCopy() *Exception {
+	if in == nil {
+		return nil
+	}
+	out := new(Exception)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 	*out = *in
+	if in.ValidationFailureAction != nil {
+		in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
+		*out = new(v1.ValidationFailureAction)
+		**out = **in
+	}
 	if in.ImageReferences != nil {
 		in, out := &in.ImageReferences, &out.ImageReferences
 		*out = make([]string, len(*in))
 		copy(*out, *in)
 	}
+	if in.SkipImageReferences != nil {
+		in, out := &in.SkipImageReferences, &out.SkipImageReferences
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.Attestors != nil {
 		in, out := &in.Attestors, &out.Attestors
 		*out = make([]v1.AttestorSet, len(*in))
@@ -183,6 +397,12 @@ func (in *ImageVerification) DeepCopyInto(out *ImageVerification) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ImageRegistryCredentials != nil {
+		in, out := &in.ImageRegistryCredentials, &out.ImageRegistryCredentials
+		*out = new(v1.ImageRegistryCredentials)
+		(*in).DeepCopyInto(*out)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageVerification.
@@ -212,6 +432,7 @@ func (in *MatchResources) DeepCopyInto(out *MatchResources) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
@@ -231,6 +452,7 @@ func (in *Policy) DeepCopyInto(out *Policy) {
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
 	in.Status.DeepCopyInto(&out.Status)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
@@ -251,6 +473,107 @@ func (in *Policy) DeepCopyObject() runtime.Object {
 	return nil
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyException) DeepCopyInto(out *PolicyException) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.
+func (in *PolicyException) DeepCopy() *PolicyException {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyException)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PolicyException) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]PolicyException, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.
+func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyExceptionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *PolicyExceptionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec) {
+	*out = *in
+	if in.Background != nil {
+		in, out := &in.Background, &out.Background
+		*out = new(bool)
+		**out = **in
+	}
+	in.Match.DeepCopyInto(&out.Match)
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = new(AnyAllConditions)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Exceptions != nil {
+		in, out := &in.Exceptions, &out.Exceptions
+		*out = make([]Exception, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PodSecurity != nil {
+		in, out := &in.PodSecurity, &out.PodSecurity
+		*out = make([]v1.PodSecurityStandard, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.
+func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(PolicyExceptionSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 	*out = *in
@@ -263,6 +586,7 @@ func (in *PolicyList) DeepCopyInto(out *PolicyList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.
@@ -318,6 +642,12 @@ func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription) {
 		*out = new(metav1.LabelSelector)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.Operations != nil {
+		in, out := &in.Operations, &out.Operations
+		*out = make([]v1.AdmissionOperation, len(*in))
+		copy(*out, *in)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.
@@ -335,6 +665,7 @@ func (in *ResourceFilter) DeepCopyInto(out *ResourceFilter) {
 	*out = *in
 	in.UserInfo.DeepCopyInto(&out.UserInfo)
 	in.ResourceDescription.DeepCopyInto(&out.ResourceDescription)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceFilter.
@@ -355,6 +686,7 @@ func (in ResourceFilters) DeepCopyInto(out *ResourceFilters) {
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
+		return
 	}
 }
 
@@ -400,6 +732,11 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 		*out = new(AnyAllConditions)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.CELPreconditions != nil {
+		in, out := &in.CELPreconditions, &out.CELPreconditions
+		*out = make([]admissionregistrationv1.MatchCondition, len(*in))
+		copy(*out, *in)
+	}
 	in.Mutation.DeepCopyInto(&out.Mutation)
 	in.Validation.DeepCopyInto(&out.Validation)
 	in.Generation.DeepCopyInto(&out.Generation)
@@ -410,6 +747,7 @@ func (in *Rule) DeepCopyInto(out *Rule) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
@@ -449,6 +787,11 @@ func (in *Spec) DeepCopyInto(out *Spec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Admission != nil {
+		in, out := &in.Admission, &out.Admission
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Background != nil {
 		in, out := &in.Background, &out.Background
 		*out = new(bool)
@@ -464,6 +807,17 @@ func (in *Spec) DeepCopyInto(out *Spec) {
 		*out = new(int32)
 		**out = **in
 	}
+	if in.GenerateExistingOnPolicyUpdate != nil {
+		in, out := &in.GenerateExistingOnPolicyUpdate, &out.GenerateExistingOnPolicyUpdate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.WebhookConfiguration != nil {
+		in, out := &in.WebhookConfiguration, &out.WebhookConfiguration
+		*out = new(v1.WebhookConfiguration)
+		(*in).DeepCopyInto(*out)
+	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.
@@ -479,6 +833,18 @@ func (in *Spec) DeepCopy() *Spec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Validation) DeepCopyInto(out *Validation) {
 	*out = *in
+	if in.ValidationFailureAction != nil {
+		in, out := &in.ValidationFailureAction, &out.ValidationFailureAction
+		*out = new(v1.ValidationFailureAction)
+		**out = **in
+	}
+	if in.ValidationFailureActionOverrides != nil {
+		in, out := &in.ValidationFailureActionOverrides, &out.ValidationFailureActionOverrides
+		*out = make([]v1.ValidationFailureActionOverride, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Manifests != nil {
 		in, out := &in.Manifests, &out.Manifests
 		*out = new(v1.Manifests)
@@ -493,13 +859,11 @@ func (in *Validation) DeepCopyInto(out *Validation) {
 	}
 	if in.RawPattern != nil {
 		in, out := &in.RawPattern, &out.RawPattern
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
 	if in.RawAnyPattern != nil {
 		in, out := &in.RawAnyPattern, &out.RawAnyPattern
-		*out = new(apiextensionsv1.JSON)
-		(*in).DeepCopyInto(*out)
+		*out = (*in).DeepCopy()
 	}
 	if in.Deny != nil {
 		in, out := &in.Deny, &out.Deny
@@ -511,6 +875,13 @@ func (in *Validation) DeepCopyInto(out *Validation) {
 		*out = new(v1.PodSecurity)
 		(*in).DeepCopyInto(*out)
 	}
+	if in.CEL != nil {
+		in, out := &in.CEL, &out.CEL
+		*out = new(v1.CEL)
+		(*in).DeepCopyInto(*out)
+	}
+	in.Assert.DeepCopyInto(&out.Assert)
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.
diff --git a/api/kyverno/v2beta1/zz_generated.defaults.go b/api/kyverno/v2beta1/zz_generated.defaults.go
new file mode 100644
index 000000000000..2561378d41a6
--- /dev/null
+++ b/api/kyverno/v2beta1/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v2beta1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/kyverno/v2beta1/zz_generated.register.go b/api/kyverno/v2beta1/zz_generated.register.go
new file mode 100644
index 000000000000..625720d9a77a
--- /dev/null
+++ b/api/kyverno/v2beta1/zz_generated.register.go
@@ -0,0 +1,75 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v2beta1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "kyverno.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v2beta1"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v2beta1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&CleanupPolicy{},
+		&CleanupPolicyList{},
+		&ClusterCleanupPolicy{},
+		&ClusterCleanupPolicyList{},
+		&ClusterPolicy{},
+		&ClusterPolicyList{},
+		&Policy{},
+		&PolicyException{},
+		&PolicyExceptionList{},
+		&PolicyList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/api/policyreport/register.go b/api/policyreport/register.go
deleted file mode 100755
index e078d859c95e..000000000000
--- a/api/policyreport/register.go
+++ /dev/null
@@ -1,5 +0,0 @@
-package policyreport
-
-const (
-	GroupName = "wgpolicyk8s.io"
-)
diff --git a/api/policyreport/v1alpha2/clusterpolicyreport_types.go b/api/policyreport/v1alpha2/clusterpolicyreport_types.go
index 58b61374cab2..632682d37c98 100755
--- a/api/policyreport/v1alpha2/clusterpolicyreport_types.go
+++ b/api/policyreport/v1alpha2/clusterpolicyreport_types.go
@@ -27,13 +27,13 @@ import (
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
 // +kubebuilder:resource:path=clusterpolicyreports,scope="Cluster",shortName=cpolr
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
-// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail`
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn`
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".scope.kind"
+// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=".scope.name"
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".summary.pass"
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".summary.fail"
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".summary.warn"
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".summary.error"
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".summary.skip"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 
 // ClusterPolicyReport is the Schema for the clusterpolicyreports API
diff --git a/api/policyreport/v1alpha2/common.go b/api/policyreport/v1alpha2/common.go
index 9f08bb6c32fd..5aad425730a9 100644
--- a/api/policyreport/v1alpha2/common.go
+++ b/api/policyreport/v1alpha2/common.go
@@ -22,20 +22,20 @@ import (
 
 // Status specifies state of a policy result
 const (
-	StatusPass  = "pass"
-	StatusFail  = "fail"
-	StatusWarn  = "warn"
-	StatusError = "error"
-	StatusSkip  = "skip"
+	StatusPass  PolicyResult = "pass"
+	StatusFail  PolicyResult = "fail"
+	StatusWarn  PolicyResult = "warn"
+	StatusError PolicyResult = "error"
+	StatusSkip  PolicyResult = "skip"
 )
 
 // Severity specifies priority of a policy result
 const (
-	SeverityCritical = "critical"
-	SeverityHigh     = "high"
-	SeverityMedium   = "medium"
-	SeverityLow      = "low"
-	SeverityInfo     = "info"
+	SeverityCritical PolicySeverity = "critical"
+	SeverityHigh     PolicySeverity = "high"
+	SeverityMedium   PolicySeverity = "medium"
+	SeverityLow      PolicySeverity = "low"
+	SeverityInfo     PolicySeverity = "info"
 )
 
 // PolicyReportSummary provides a status count summary
diff --git a/api/policyreport/v1alpha2/doc.go b/api/policyreport/v1alpha2/doc.go
index dae6d491ec73..526d35b67617 100755
--- a/api/policyreport/v1alpha2/doc.go
+++ b/api/policyreport/v1alpha2/doc.go
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// +k8s:openapi-gen=true
 // +k8s:deepcopy-gen=package
 // +groupName=wgpolicyk8s.io
 
diff --git a/api/policyreport/v1alpha2/policyreport_types.go b/api/policyreport/v1alpha2/policyreport_types.go
index 295e5bfbbe2e..f78817c544e8 100644
--- a/api/policyreport/v1alpha2/policyreport_types.go
+++ b/api/policyreport/v1alpha2/policyreport_types.go
@@ -22,13 +22,13 @@ import (
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:object:root=true
 // +kubebuilder:storageversion
-// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=`.scope.kind`,priority=1
-// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=`.scope.name`,priority=1
-// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=`.summary.pass`
-// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=`.summary.fail`
-// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=`.summary.warn`
-// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=`.summary.error`
-// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=`.summary.skip`
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".scope.kind"
+// +kubebuilder:printcolumn:name="Name",type=string,JSONPath=".scope.name"
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".summary.pass"
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".summary.fail"
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".summary.warn"
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".summary.error"
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".summary.skip"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
 // +kubebuilder:resource:shortName=polr
 
diff --git a/api/policyreport/v1alpha2/register.go b/api/policyreport/v1alpha2/register.go
deleted file mode 100755
index 384f13bc3390..000000000000
--- a/api/policyreport/v1alpha2/register.go
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
-Copyright 2020 The Kubernetes authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package v1alpha2
-
-import (
-	"github.com/kyverno/kyverno/api/policyreport"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-)
-
-// SchemeGroupVersion is group version used to register these objects
-var SchemeGroupVersion = schema.GroupVersion{Group: policyreport.GroupName, Version: "v1alpha2"}
-
-// Kind takes an unqualified kind and returns back a Group qualified GroupKind
-func Kind(kind string) schema.GroupKind {
-	return SchemeGroupVersion.WithKind(kind).GroupKind()
-}
-
-// Resource takes an unqualified resource and returns a Group qualified GroupResource
-func Resource(resource string) schema.GroupResource {
-	return SchemeGroupVersion.WithResource(resource).GroupResource()
-}
-
-var (
-	// SchemeBuilder builds the scheme
-	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
-
-	// AddToScheme adds all types of this clientset into the given scheme
-	AddToScheme = SchemeBuilder.AddToScheme
-)
-
-// Adds the list of known types to Scheme.
-func addKnownTypes(scheme *runtime.Scheme) error {
-	scheme.AddKnownTypes(SchemeGroupVersion,
-		&ClusterPolicyReport{},
-		&ClusterPolicyReportList{},
-		&PolicyReport{},
-		&PolicyReportList{},
-	)
-	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
-	return nil
-}
diff --git a/api/policyreport/v1alpha2/zz_generated.deepcopy.go b/api/policyreport/v1alpha2/zz_generated.deepcopy.go
index 366791c030f0..e0030665f00d 100644
--- a/api/policyreport/v1alpha2/zz_generated.deepcopy.go
+++ b/api/policyreport/v1alpha2/zz_generated.deepcopy.go
@@ -17,14 +17,14 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// Code generated by controller-gen. DO NOT EDIT.
+// Code generated by deepcopy-gen. DO NOT EDIT.
 
 package v1alpha2
 
 import (
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -50,6 +50,7 @@ func (in *ClusterPolicyReport) DeepCopyInto(out *ClusterPolicyReport) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReport.
@@ -82,6 +83,7 @@ func (in *ClusterPolicyReportList) DeepCopyInto(out *ClusterPolicyReportList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyReportList.
@@ -125,6 +127,7 @@ func (in *PolicyReport) DeepCopyInto(out *PolicyReport) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReport.
@@ -157,6 +160,7 @@ func (in *PolicyReportList) DeepCopyInto(out *PolicyReportList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportList.
@@ -198,6 +202,7 @@ func (in *PolicyReportResult) DeepCopyInto(out *PolicyReportResult) {
 		}
 	}
 	out.Timestamp = in.Timestamp
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportResult.
@@ -213,6 +218,7 @@ func (in *PolicyReportResult) DeepCopy() *PolicyReportResult {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyReportSummary) DeepCopyInto(out *PolicyReportSummary) {
 	*out = *in
+	return
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyReportSummary.
diff --git a/api/policyreport/v1alpha2/zz_generated.defaults.go b/api/policyreport/v1alpha2/zz_generated.defaults.go
new file mode 100644
index 000000000000..7e0a05edc950
--- /dev/null
+++ b/api/policyreport/v1alpha2/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1alpha2
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/policyreport/v1alpha2/zz_generated.register.go b/api/policyreport/v1alpha2/zz_generated.register.go
new file mode 100644
index 000000000000..8e721608e213
--- /dev/null
+++ b/api/policyreport/v1alpha2/zz_generated.register.go
@@ -0,0 +1,69 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v1alpha2
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "wgpolicyk8s.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha2"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ClusterPolicyReport{},
+		&ClusterPolicyReportList{},
+		&PolicyReport{},
+		&PolicyReportList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/api/reports/v1/doc.go b/api/reports/v1/doc.go
new file mode 100644
index 000000000000..1e554afc16ce
--- /dev/null
+++ b/api/reports/v1/doc.go
@@ -0,0 +1,21 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +kubebuilder:object:generate=true
+// +groupName=reports.kyverno.io
+package v1
diff --git a/api/reports/v1/ephemeral_report_types.go b/api/reports/v1/ephemeral_report_types.go
new file mode 100644
index 000000000000..02f5337bc02e
--- /dev/null
+++ b/api/reports/v1/ephemeral_report_types.go
@@ -0,0 +1,130 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type EphemeralReportSpec struct {
+	// Owner is a reference to the report owner (e.g. a Deployment, Namespace, or Node)
+	Owner metav1.OwnerReference `json:"owner"`
+
+	// PolicyReportSummary provides a summary of results
+	// +optional
+	Summary policyreportv1alpha2.PolicyReportSummary `json:"summary,omitempty"`
+
+	// PolicyReportResult provides result details
+	// +optional
+	Results []policyreportv1alpha2.PolicyReportResult `json:"results,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:resource:shortName=ephr,categories=kyverno
+// +kubebuilder:printcolumn:name="Source",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/source']"
+// +kubebuilder:printcolumn:name="Group",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.group']"
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.kind']"
+// +kubebuilder:printcolumn:name="Owner",type=string,JSONPath=".metadata.annotations['audit\\.kyverno\\.io/resource\\.name']"
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".spec.summary.error"
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".spec.summary.skip"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Uid",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.uid']",priority=1
+// +kubebuilder:printcolumn:name="Hash",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.hash']",priority=1
+
+// EphemeralReport is the Schema for the EphemeralReports API
+type EphemeralReport struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              EphemeralReportSpec `json:"spec"`
+}
+
+func (r *EphemeralReport) GetResults() []policyreportv1alpha2.PolicyReportResult {
+	return r.Spec.Results
+}
+
+func (r *EphemeralReport) SetResults(results []policyreportv1alpha2.PolicyReportResult) {
+	r.Spec.Results = results
+}
+
+func (r *EphemeralReport) SetSummary(summary policyreportv1alpha2.PolicyReportSummary) {
+	r.Spec.Summary = summary
+}
+
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:object:root=true
+// +kubebuilder:storageversion
+// +kubebuilder:resource:scope=Cluster,shortName=cephr,categories=kyverno
+// +kubebuilder:printcolumn:name="Source",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/source']"
+// +kubebuilder:printcolumn:name="Group",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.group']"
+// +kubebuilder:printcolumn:name="Kind",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.kind']"
+// +kubebuilder:printcolumn:name="Owner",type=string,JSONPath=".metadata.annotations['audit\\.kyverno\\.io/resource\\.name']"
+// +kubebuilder:printcolumn:name="Pass",type=integer,JSONPath=".spec.summary.pass"
+// +kubebuilder:printcolumn:name="Fail",type=integer,JSONPath=".spec.summary.fail"
+// +kubebuilder:printcolumn:name="Warn",type=integer,JSONPath=".spec.summary.warn"
+// +kubebuilder:printcolumn:name="Error",type=integer,JSONPath=".spec.summary.error"
+// +kubebuilder:printcolumn:name="Skip",type=integer,JSONPath=".spec.summary.skip"
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Uid",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.uid']"
+// +kubebuilder:printcolumn:name="Hash",type=string,JSONPath=".metadata.labels['audit\\.kyverno\\.io/resource\\.hash']",priority=1
+
+// ClusterEphemeralReport is the Schema for the ClusterEphemeralReports API
+type ClusterEphemeralReport struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+	Spec              EphemeralReportSpec `json:"spec"`
+}
+
+func (r *ClusterEphemeralReport) GetResults() []policyreportv1alpha2.PolicyReportResult {
+	return r.Spec.Results
+}
+
+func (r *ClusterEphemeralReport) SetResults(results []policyreportv1alpha2.PolicyReportResult) {
+	r.Spec.Results = results
+}
+
+func (r *ClusterEphemeralReport) SetSummary(summary policyreportv1alpha2.PolicyReportSummary) {
+	r.Spec.Summary = summary
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// EphemeralReportList contains a list of EphemeralReport
+type EphemeralReportList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []EphemeralReport `json:"items"`
+}
+
+// +kubebuilder:object:root=true
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ClusterEphemeralReportList contains a list of ClusterEphemeralReport
+type ClusterEphemeralReportList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []ClusterEphemeralReport `json:"items"`
+}
diff --git a/api/reports/v1/interface.go b/api/reports/v1/interface.go
new file mode 100644
index 000000000000..b9b33e8f207a
--- /dev/null
+++ b/api/reports/v1/interface.go
@@ -0,0 +1,32 @@
+/*
+Copyright 2020 The Kubernetes authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1
+
+import (
+	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +kubebuilder:object:generate=false
+
+// ReportInterface abstracts the concrete report change request type
+type ReportInterface interface {
+	metav1.Object
+	GetResults() []policyreportv1alpha2.PolicyReportResult
+	SetResults([]policyreportv1alpha2.PolicyReportResult)
+	SetSummary(policyreportv1alpha2.PolicyReportSummary)
+}
diff --git a/api/reports/v1/zz_generated.deepcopy.go b/api/reports/v1/zz_generated.deepcopy.go
new file mode 100644
index 000000000000..201549dee166
--- /dev/null
+++ b/api/reports/v1/zz_generated.deepcopy.go
@@ -0,0 +1,172 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	v1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterEphemeralReport) DeepCopyInto(out *ClusterEphemeralReport) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterEphemeralReport.
+func (in *ClusterEphemeralReport) DeepCopy() *ClusterEphemeralReport {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterEphemeralReport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterEphemeralReport) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ClusterEphemeralReportList) DeepCopyInto(out *ClusterEphemeralReportList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ClusterEphemeralReport, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterEphemeralReportList.
+func (in *ClusterEphemeralReportList) DeepCopy() *ClusterEphemeralReportList {
+	if in == nil {
+		return nil
+	}
+	out := new(ClusterEphemeralReportList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ClusterEphemeralReportList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EphemeralReport) DeepCopyInto(out *EphemeralReport) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralReport.
+func (in *EphemeralReport) DeepCopy() *EphemeralReport {
+	if in == nil {
+		return nil
+	}
+	out := new(EphemeralReport)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EphemeralReport) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EphemeralReportList) DeepCopyInto(out *EphemeralReportList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]EphemeralReport, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralReportList.
+func (in *EphemeralReportList) DeepCopy() *EphemeralReportList {
+	if in == nil {
+		return nil
+	}
+	out := new(EphemeralReportList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *EphemeralReportList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EphemeralReportSpec) DeepCopyInto(out *EphemeralReportSpec) {
+	*out = *in
+	in.Owner.DeepCopyInto(&out.Owner)
+	out.Summary = in.Summary
+	if in.Results != nil {
+		in, out := &in.Results, &out.Results
+		*out = make([]v1alpha2.PolicyReportResult, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralReportSpec.
+func (in *EphemeralReportSpec) DeepCopy() *EphemeralReportSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(EphemeralReportSpec)
+	in.DeepCopyInto(out)
+	return out
+}
diff --git a/api/reports/v1/zz_generated.defaults.go b/api/reports/v1/zz_generated.defaults.go
new file mode 100644
index 000000000000..dac177e93bd0
--- /dev/null
+++ b/api/reports/v1/zz_generated.defaults.go
@@ -0,0 +1,33 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by defaulter-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// RegisterDefaults adds defaulters functions to the given scheme.
+// Public to allow building arbitrary schemes.
+// All generated defaulters are covering - they call all nested defaulters.
+func RegisterDefaults(scheme *runtime.Scheme) error {
+	return nil
+}
diff --git a/api/reports/v1/zz_generated.register.go b/api/reports/v1/zz_generated.register.go
new file mode 100644
index 000000000000..6a2392d8e969
--- /dev/null
+++ b/api/reports/v1/zz_generated.register.go
@@ -0,0 +1,69 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Code generated by register-gen. DO NOT EDIT.
+
+package v1
+
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName specifies the group name used to register the objects.
+const GroupName = "reports.kyverno.io"
+
+// GroupVersion specifies the group and the version used to register the objects.
+var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1"}
+
+// SchemeGroupVersion is group version used to register these objects
+// Deprecated: use GroupVersion instead.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+var (
+	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
+	SchemeBuilder      runtime.SchemeBuilder
+	localSchemeBuilder = &SchemeBuilder
+	// Depreciated: use Install instead
+	AddToScheme = localSchemeBuilder.AddToScheme
+	Install     = localSchemeBuilder.AddToScheme
+)
+
+func init() {
+	// We only register manually written functions here. The registration of the
+	// generated functions takes place in the generated files. The separation
+	// makes the code compile even when the generated files are missing.
+	localSchemeBuilder.Register(addKnownTypes)
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&ClusterEphemeralReport{},
+		&ClusterEphemeralReportList{},
+		&EphemeralReport{},
+		&EphemeralReportList{},
+	)
+	// AddToGroupVersion allows the serialization of client types like ListOptions.
+	v1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}
diff --git a/charts/kyverno-policies/.helmignore b/charts/kyverno-policies/.helmignore
index 20b07486af69..85df807a7561 100644
--- a/charts/kyverno-policies/.helmignore
+++ b/charts/kyverno-policies/.helmignore
@@ -1,2 +1,3 @@
+.helmignore
 ci/
 README.md.gotmpl
diff --git a/charts/kyverno-policies/Chart.yaml b/charts/kyverno-policies/Chart.yaml
index cde155af7b45..a1494651dc5f 100644
--- a/charts/kyverno-policies/Chart.yaml
+++ b/charts/kyverno-policies/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 type: application
 name: kyverno-policies
-version: v2.5.5
-appVersion: v1.7.3
+version: v0.0.0
+appVersion: latest
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Pod Security Standards implemented as Kyverno policies
 keywords:
@@ -15,17 +15,9 @@ home: https://kyverno.io/policies/
 sources:
   - https://github.com/kyverno/policies
 maintainers:
-  - name: Nirmata
-    url: https://kyverno.io/
-kubeVersion: ">=1.16.0-0"
+  - name: kyverno-maintainers
+    email: cncf-kyverno-maintainers@lists.cncf.io
+kubeVersion: ">=1.25.0-0"
 annotations:
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
-  # valid kinds are: added, changed, deprecated, removed, fixed and security
-  artifacthub.io/changes: |
-    - kind: added
-      description: Add ability to configure autogen behavior
-    - kind: fixed
-      description: Support for customLabels, they were ignored up to now
-    - kind: removed
-      description: "Walk back change in PSS policy to send to to_upper"
diff --git a/charts/kyverno-policies/README.md b/charts/kyverno-policies/README.md
index 48ae5e1b3f07..5b8c48041fa1 100644
--- a/charts/kyverno-policies/README.md
+++ b/charts/kyverno-policies/README.md
@@ -2,7 +2,7 @@
 
 Kubernetes Pod Security Standards implemented as Kyverno policies
 
-![Version: v2.5.5](https://img.shields.io/badge/Version-v2.5.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.7.3](https://img.shields.io/badge/AppVersion-v1.7.3-informational?style=flat-square)
+![Version: v0.0.0](https://img.shields.io/badge/Version-v0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 ## About
 
@@ -37,6 +37,16 @@ An additional policy "require-non-root-groups" is included in an `other` group a
 
 For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
 
+## Deploy custom policies
+If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`:
+````yaml
+customPolicies:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata: # metadata
+    spec: # spec
+````
+
 ## Installing the Chart
 
 These PSS policies presently have a minimum requirement of Kyverno 1.6.0.
@@ -63,13 +73,15 @@ The command removes all the Kubernetes components associated with the chart and
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| policyKind | string | `"ClusterPolicy"` | Policy kind (`ClusterPolicy`, `Policy`) Set to `Policy` if you need namespaced policies and not cluster policies |
 | podSecurityStandard | string | `"baseline"` | Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`). For more info https://kyverno.io/policies/pod-security. |
 | podSecuritySeverity | string | `"medium"` | Pod Security Standard (`low`, `medium`, `high`). |
 | podSecurityPolicies | list | `[]` | Policies to include when `podSecurityStandard` is `custom`. |
 | includeOtherPolicies | list | `[]` | Additional policies to include from `other`. |
 | includeRestrictedPolicies | list | `[]` | Additional policies to include from `restricted`. |
+| customPolicies | list | `[]` | Additional custom policies to include. |
 | failurePolicy | string | `"Fail"` | API server behavior if the webhook fails to respond ('Ignore', 'Fail') For more info: https://kyverno.io/docs/writing-policies/policy-settings/ |
-| validationFailureAction | string | `"audit"` | Validation failure action (`audit`, `enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
+| validationFailureAction | string | `"Audit"` | Validation failure action (`Audit`, `Enforce`). For more info https://kyverno.io/docs/writing-policies/validate. |
 | validationFailureActionByPolicy | object | `{}` | Define validationFailureActionByPolicy for specific policies. Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies. |
 | validationFailureActionOverrides | object | `{"all":[]}` | Define validationFailureActionOverrides for specific policies. The overrides for `all` will apply to all policies. |
 | policyExclude | object | `{}` | Exclude resources from individual policies. Policies with multiple rules can have individual rules excluded by using the name of the rule as the key in the `policyExclude` map. |
@@ -78,6 +90,7 @@ The command removes all the Kubernetes components associated with the chart and
 | nameOverride | string | `nil` | Name override. |
 | customLabels | object | `{}` | Additional labels. |
 | background | bool | `true` | Policies background mode |
+| skipBackgroundRequests | bool | `nil` | SkipBackgroundRequests bypasses admission requests that are sent by the background controller |
 | kyvernoVersion | string | `"autodetect"` | Kyverno version The default of "autodetect" will try to determine the currently installed version from the deployment |
 
 ## Source Code
@@ -86,13 +99,13 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Requirements
 
-Kubernetes: `>=1.16.0-0`
+Kubernetes: `>=1.25.0-0`
 
 ## Maintainers
 
 | Name | Email | Url |
 | ---- | ------ | --- |
-| Nirmata |  |  |
+| kyverno-maintainers |  |  |
 
 ## Changes
 
diff --git a/charts/kyverno-policies/README.md.gotmpl b/charts/kyverno-policies/README.md.gotmpl
index 59c5469140fe..7108cabc3b50 100644
--- a/charts/kyverno-policies/README.md.gotmpl
+++ b/charts/kyverno-policies/README.md.gotmpl
@@ -37,6 +37,16 @@ An additional policy "require-non-root-groups" is included in an `other` group a
 
 For the latest version of these PSS policies, always refer to the kyverno/policies repo at https://github.com/kyverno/policies/tree/main/pod-security.
 
+## Deploy custom policies
+If you have custom policies you would like to deploy as part of the Helm release, provide their manifests in `.Values.customPolicies`:
+````yaml
+customPolicies:
+  - apiVersion: kyverno.io/v1
+    kind: ClusterPolicy
+    metadata: # metadata
+    spec: # spec
+````
+
 ## Installing the Chart
 
 These PSS policies presently have a minimum requirement of Kyverno 1.6.0.
diff --git a/charts/kyverno-policies/ci/test-preconditions-values.yaml b/charts/kyverno-policies/ci/test-preconditions-values.yaml
index df4e8e9d1f97..a23ffa3243ad 100644
--- a/charts/kyverno-policies/ci/test-preconditions-values.yaml
+++ b/charts/kyverno-policies/ci/test-preconditions-values.yaml
@@ -12,8 +12,18 @@ policyPreconditions:
     - key: "{{ request.object.metadata.name }}"
       operator: NotEquals
       value: "dcgm-exporter*"
+  disallow-capabilities:
+    all:
+    - key: "{{ request.object.metadata.name }}"
+      operator: NotEquals
+      value: "dcgm-exporter*"
   adding-capabilities-strict:
     all:
     - key: "{{ request.object.metadata.name }}"
       operator: NotEquals
       value: "dcgm-exporter*"
+  restrict-volume-types:
+    all:
+    - key: "{{ request.object.metadata.name }}"
+      operator: NotEquals
+      value: "dcgm-exporter*"
diff --git a/charts/kyverno-policies/templates/_helpers.tpl b/charts/kyverno-policies/templates/_helpers.tpl
index d9d4bb164f79..4f73c2654521 100644
--- a/charts/kyverno-policies/templates/_helpers.tpl
+++ b/charts/kyverno-policies/templates/_helpers.tpl
@@ -16,7 +16,7 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 app.kubernetes.io/name: {{ template "kyverno-policies.name" . }}
 app.kubernetes.io/part-of: {{ template "kyverno-policies.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version }}"
+app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
 helm.sh/chart: {{ template "kyverno-policies.chart" . }}
 {{- if .Values.customLabels }}
 {{ toYaml .Values.customLabels }}
@@ -56,6 +56,15 @@ helm.sh/chart: {{ template "kyverno-policies.chart" . }}
 {{- end -}}
 {{- end -}}
 
+{{/* Set if custom policies are managed */}}
+{{- define "kyverno-policies.customPolicies" -}}
+    {{- if typeIs "string" .value }}
+        {{- tpl .value .context }}
+    {{- else }}
+        {{- tpl (.value | toYaml) .context }}
+    {{- end }}
+{{- end -}}
+
 {{/* Get deployed Kyverno version from Kubernetes */}}
 {{- define "kyverno-policies.kyvernoVersion" -}}
 {{- $version := "" -}}
diff --git a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
index 9bb70d2da610..c93d4601a4af 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-capabilities.yaml
@@ -2,7 +2,7 @@
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 {{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -43,9 +43,29 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with index .Values "policyPreconditions" $name }}
+      {{- $preconditions := index .Values "policyPreconditions" $name }}
+      {{- if $preconditions }}
+      {{- with $preconditions }}
       preconditions:
-        {{- toYaml . | nindent 8 }}
+        {{- if .all }}
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+        {{- toYaml .all | nindent 8 }}
+        {{- else }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+      {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
         message: >-
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
index 894beec57425..58c33e22189f 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-namespaces.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-namespaces" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Sharing the host namespaces is disallowed. The fields spec.hostNetwork,
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
index 8793ef3a0b09..5585a0d81c9a 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-path.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-path" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           HostPath volumes are forbidden. The field spec.volumes[*].hostPath must be unset.
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
index 67ec3b9c0410..cf3bd191a095 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-ports.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-ports" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Use of host ports is disallowed. The fields spec.containers[*].ports[*].hostPort
diff --git a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
index 8ad2d0c87362..3f925251d0ec 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-host-process.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-host-process" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           HostProcess containers are disallowed. The fields spec.securityContext.windowsOptions.hostProcess,
diff --git a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
index 1d65f0292bda..10f222bfdc58 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-privileged-containers.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-privileged-containers" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -46,6 +46,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Privileged mode is disallowed. The fields spec.containers[*].securityContext.privileged
diff --git a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
index c607738c73fe..c9ebfb200895 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-proc-mount.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-proc-mount" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Changing the proc mount from the default is not allowed. The fields
diff --git a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
index 89d0209dc180..f6045308a433 100644
--- a/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
+++ b/charts/kyverno-policies/templates/baseline/disallow-selinux.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-selinux" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -46,6 +46,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Setting the SELinux type is restricted. The fields
@@ -83,6 +86,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Setting the SELinux user or role is forbidden. The fields
diff --git a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
index b58c68771ba2..4e261d87a481 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-apparmor-profiles.yaml
@@ -1,7 +1,7 @@
 {{- $name := "restrict-apparmor-profiles" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -49,6 +49,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Specifying other AppArmor profiles is disallowed. The annotation
diff --git a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
index 99dbcabc32ce..0798a6457864 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-seccomp.yaml
@@ -1,7 +1,7 @@
 {{- $name := "restrict-seccomp" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Use of custom Seccomp profiles is disallowed. The fields
diff --git a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
index 7e3da6ad56d2..f8a3f54aaaf2 100644
--- a/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
+++ b/charts/kyverno-policies/templates/baseline/restrict-sysctls.yaml
@@ -1,7 +1,7 @@
 {{- $name := "restrict-sysctls" }}
 {{- if eq (include "kyverno-policies.podSecurityBaseline" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -50,6 +50,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Setting additional sysctls above the allowed type is disallowed.
diff --git a/charts/kyverno-policies/templates/other/custom-policies.yaml b/charts/kyverno-policies/templates/other/custom-policies.yaml
new file mode 100644
index 000000000000..be8c0441279a
--- /dev/null
+++ b/charts/kyverno-policies/templates/other/custom-policies.yaml
@@ -0,0 +1,4 @@
+{{- range .Values.customPolicies }}
+---
+{{ include "kyverno-policies.customPolicies" (dict "value" . "context" $) }}
+{{- end }}
diff --git a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
index 759fab90af48..4e0b74d17fda 100644
--- a/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
+++ b/charts/kyverno-policies/templates/other/require-non-root-groups.yaml
@@ -1,7 +1,7 @@
 {{- $name := "require-non-root-groups" }}
 {{- if eq (include "kyverno-policies.podSecurityOther" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -48,6 +48,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Running with root group IDs is disallowed. The fields
@@ -92,6 +95,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Containers cannot run with a root primary or supplementary GID. The field
@@ -111,6 +117,9 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Containers cannot run with a root primary or supplementary GID. The field
diff --git a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
index 46ea01b10a07..ff563f156413 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-capabilities-strict.yaml
@@ -2,7 +2,7 @@
 {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
 {{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -65,6 +65,9 @@ spec:
           operator: NotEquals
           value: DELETE
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Containers must drop `ALL` capabilities.
@@ -107,6 +110,9 @@ spec:
           operator: NotEquals
           value: DELETE
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Any capabilities added other than NET_BIND_SERVICE are disallowed.
diff --git a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
index 687a2eb45f78..646cb48a57f2 100644
--- a/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
+++ b/charts/kyverno-policies/templates/restricted/disallow-privilege-escalation.yaml
@@ -1,7 +1,7 @@
 {{- $name := "disallow-privilege-escalation" }}
 {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -46,6 +46,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Privilege escalation is disallowed. The fields
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
index f40877350e1f..7bb165be21d2 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-non-root-user.yaml
@@ -1,7 +1,7 @@
 {{- $name := "require-run-as-non-root-user" }}
 {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -46,6 +46,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Running as root is not allowed. The fields spec.securityContext.runAsUser,
diff --git a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
index 406689f32e34..8b1e58951946 100644
--- a/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
+++ b/charts/kyverno-policies/templates/restricted/require-run-as-nonroot.yaml
@@ -1,7 +1,7 @@
 {{- $name := "require-run-as-nonroot" }}
 {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -47,6 +47,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Running as root is not allowed. Either the field spec.securityContext.runAsNonRoot
diff --git a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
index af8888fe5677..28482459bd5e 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-seccomp-strict.yaml
@@ -1,7 +1,7 @@
 {{- $name := "restrict-seccomp-strict" }}
 {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -49,6 +49,9 @@ spec:
       preconditions:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
+      {{- end }}
       validate:
         message: >-
           Use of custom Seccomp profiles is disallowed. The fields
diff --git a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
index 28180a7f931e..57aae652c7cb 100644
--- a/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
+++ b/charts/kyverno-policies/templates/restricted/restrict-volume-types.yaml
@@ -2,7 +2,7 @@
 {{- if eq (include "kyverno-policies.podSecurityRestricted" (merge (dict "name" $name) .)) "true" }}
 {{- include "kyverno-policies.supportedKyvernoCheck" (dict "top" . "ver" ">= 1.6.0-0") }}
 apiVersion: kyverno.io/v1
-kind: ClusterPolicy
+kind: {{ .Values.policyKind }}
 metadata:
   name: {{ $name }}
   annotations:
@@ -45,9 +45,29 @@ spec:
       exclude:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with index .Values "policyPreconditions" $name }}
+      {{- $preconditions := index .Values "policyPreconditions" $name }}
+      {{- if $preconditions }}
+      {{- with $preconditions }}
       preconditions:
-        {{- toYaml . | nindent 8 }}
+        {{- if .all }}
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+        {{- toYaml .all | nindent 8 }}
+        {{- else }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- else }}
+      preconditions:
+        all:
+        - key: "{{`{{ request.operation || 'BACKGROUND' }}`}}"
+          operator: NotEquals
+          value: DELETE
+      {{- end }}
+      {{- if not (quote .Values.skipBackgroundRequests | empty)  }}
+      skipBackgroundRequests: {{ .Values.skipBackgroundRequests }}
       {{- end }}
       validate:
         message: >-
diff --git a/charts/kyverno-policies/values.yaml b/charts/kyverno-policies/values.yaml
index 4fe5dc7fd664..400ad5a1353b 100644
--- a/charts/kyverno-policies/values.yaml
+++ b/charts/kyverno-policies/values.yaml
@@ -1,3 +1,7 @@
+# -- Policy kind (`ClusterPolicy`, `Policy`)
+# Set to `Policy` if you need namespaced policies and not cluster policies
+policyKind: ClusterPolicy
+
 # -- Pod Security Standard profile (`baseline`, `restricted`, `privileged`, `custom`).
 # For more info https://kyverno.io/policies/pod-security.
 podSecurityStandard: baseline
@@ -16,13 +20,20 @@ includeOtherPolicies: []
 includeRestrictedPolicies: []
 # - require-run-as-non-root-user
 
+# -- Additional custom policies to include.
+customPolicies: []
+# - apiVersion: kyverno.io/v1
+#   kind: ClusterPolicy
+#   metadata: # metadata
+#   spec: # spec
+
 # -- API server behavior if the webhook fails to respond ('Ignore', 'Fail')
 # For more info: https://kyverno.io/docs/writing-policies/policy-settings/
 failurePolicy: Fail
 
-# -- Validation failure action (`audit`, `enforce`).
+# -- Validation failure action (`Audit`, `Enforce`).
 # For more info https://kyverno.io/docs/writing-policies/validate.
-validationFailureAction: audit
+validationFailureAction: Audit
 
 # -- Define validationFailureActionByPolicy for specific policies.
 # Override the defined `validationFailureAction` with a individual validationFailureAction for individual Policies.
@@ -97,6 +108,9 @@ customLabels: {}
 # -- Policies background mode
 background: true
 
+# -- (bool) SkipBackgroundRequests bypasses admission requests that are sent by the background controller
+skipBackgroundRequests: ~
+
 # -- Kyverno version
 # The default of "autodetect" will try to determine the currently installed version from the deployment
 kyvernoVersion: autodetect
diff --git a/charts/kyverno/.helmignore b/charts/kyverno/.helmignore
index 20b07486af69..85df807a7561 100644
--- a/charts/kyverno/.helmignore
+++ b/charts/kyverno/.helmignore
@@ -1,2 +1,3 @@
+.helmignore
 ci/
 README.md.gotmpl
diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml
index cd54a71cdc8b..3d20cb64f196 100644
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 type: application
 name: kyverno
-version: v2.5.3
+version: v0.0.0
 appVersion: latest
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management
@@ -9,15 +9,22 @@ keywords:
   - kubernetes
   - nirmata
   - policy agent
+  - policy
   - validating webhook
-  - admissions controller
+  - admission controller
+  - mutation
+  - mutate
+  - validate
+  - generate
+  - supply chain
+  - security
 home: https://kyverno.io/
 sources:
   - https://github.com/kyverno/kyverno
 maintainers:
   - name: Nirmata
     url: https://kyverno.io/
-kubeVersion: ">=1.16.0-0"
+kubeVersion: ">=1.25.0-0"
 annotations:
   artifacthub.io/operator: "false"
   artifacthub.io/prerelease: "false"
@@ -26,7 +33,16 @@ annotations:
       url: https://kyverno.io/docs
   # valid kinds are: added, changed, deprecated, removed, fixed and security
   artifacthub.io/changes: |
-    - kind: changed
-      description: Syntax change for webhooksCleanup switch to match with the rest of the file
-    - kind: fixed
-      description: Handle multiple extraArgs in init container
+    - kind: added
+      description: Add a key to preserve configmap settings during upgrade
+    - kind: added
+      description: Make admission reports breaker threshold configurable
+    - kind: removed
+      description: Deprecated configuration `features.reports.chunkSize` was removed
+dependencies:
+  - name: grafana
+    version: v0.0.0
+    condition: grafana.enabled
+  - name: crds
+    version: v0.0.0
+    condition: crds.install
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index 6733bea67202..48ed8b51d0c3 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -2,7 +2,7 @@
 
 Kubernetes Native Policy Management
 
-![Version: v2.5.3](https://img.shields.io/badge/Version-v2.5.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
+![Version: v0.0.0](https://img.shields.io/badge/Version-v0.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: latest](https://img.shields.io/badge/AppVersion-latest-informational?style=flat-square)
 
 ## About
 
@@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
 
 ## Installing the Chart
 
+**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
+
+This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
+
 **Add the Kyverno Helm repository:**
 
 ```console
@@ -105,6 +109,135 @@ spec:
       - Replace=true
 ```
 
+**Notes on using Azure Kubernetes Service (AKS):**
+
+AKS contains a component known as [Admission Enforcer](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) which will attempt to modify Kyverno's webhooks if not excluded explicitly during Helm installation. If Admissions Enforcer is not disabled, this can lead to several symptoms such as high observed CPU usage and potentially cluster instability. Please see the Kyverno documentation [here](https://kyverno.io/docs/installation/platform-notes/#notes-for-aks-users) for more information and how to set this annotation on webhooks.
+
+## Migrating from v2 to v3
+
+Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases.
+
+**IMPORTANT NOTE**: If you currently use [clone-type](https://kyverno.io/docs/writing-policies/generate/#clone-source) generate rules with synchronization enabled, please do not upgrade to 1.10.0 as there is a bug which may prevent synchronization from occurring on all downstream (generated) resources when the source is updated. Please wait for a future patch where this should be resolved. See [issue 7170](https://github.com/kyverno/kyverno/issues/7170) for further details.
+
+### Option 1 - Uninstallation and Reinstallation
+
+The first option for upgrading, which is the recommended option, involves backing up Kyverno policy resources, uninstalling Kyverno, and reinstalling with v3 of the chart. Policy Reports for policies which have background mode enabled will be regenerated upon the next scan interval.
+
+**Pros**
+
+* Reduced complexity with minimal effort
+* Allows re-checking older policies against new validation webhooks in 1.10
+
+**Cons**
+
+* Policy Reports which contained results only from admission mode and from policies/rules where background scans were disabled will be lost.
+* Requires additional steps if data-type generate rules are used
+
+Follow the procedure below.
+
+1. READ THE COMPLETE RELEASE NOTES FIRST
+2. Backup and export all Kyverno policy resources to a YAML manifest. Use the command `kubectl get pol,cpol,cleanpol,ccleanpol,polex -A -o yaml > kyvernobackup.yaml`.
+   1. Before performing this step, if you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`) disable synchronization first (set `generate.synchronize: false`). If you do not perform this step first, uninstallation of Kyverno in the subsequent step, which removes all policies, will result in deletion of generated resources.
+3. Uninstall your current version of Kyverno.
+4. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
+5. Install the v3 chart with Kyverno 1.10.
+6. Restore your Kyverno policies. Use the command `kubectl create -f kyvernobackup.yaml`.
+   1. Before performing this step, if step 2.1 applied to you, enable synchronization (set `generate.synchronize: true`) AND add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when re-installing these policies with `spec.generateExisting: true`, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this.
+
+### Option 2 - Scale to Zero
+
+In the second option, Kyverno policies do not have to be backed up however you perform more manual work in order to prepare for the upgrade to chart v3.
+
+**Pros**
+
+* Policy Reports which contained results from admission mode will be preserved
+* Kyverno policies do not need to be backed up first
+
+**Cons**
+
+* Older policies will not be revalidated for correctness according to the breaking schema changes. Some policies may not work as they did before.
+* Requires additional steps if data-type generate rules are used
+
+Follow the procedure below.
+
+1. READ THE COMPLETE RELEASE NOTES FIRST
+2. Scale the `kyverno` Deployment to zero replicas.
+3. If coming from 1.9 and you have installed the cleanup controller, scale the `kyverno-cleanup-controller` Deployment to zero replicas.
+4. If step 3 applied to you, now delete the cleanup Deployment.
+5. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
+6. Upgrade to the v3 chart by passing the mandatory flag `upgrade.fromV2=true`.
+7. If you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`), after the upgrade modify those policies to add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when making this modification, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this.
+
+### New Chart Values
+
+In `v3` chart values changed significantly, please read the instructions below to migrate your values:
+
+- `config.metricsConfig` is now `metricsConfig`
+- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces`
+- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace`
+- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
+- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
+- `namespace` has been renamed `namespaceOverride`
+- `installCRDs` has been replaced with `crds.install`
+- `testImage` has been replaced with `test.image`
+- `testResources` has been replaced with `test.resources`
+- `testSecurityContext` has been replaced with `test.securityContext`
+- `replicaCount` has been replaced with `admissionController.replicas`
+- `updateStrategy` has been replaced with `admissionController.updateStrategy`
+- `priorityClassName` has been replaced with `admissionController.priorityClassName`
+- `hostNetwork` has been replaced with `admissionController.hostNetwork`
+- `dnsPolicy` has been replaced with `admissionController.dnsPolicy`
+- `nodeSelector` has been replaced with `admissionController.nodeSelector`
+- `tolerations` has been replaced with `admissionController.tolerations`
+- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
+- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
+- `antiAffinity` has been replaced with `admissionController.antiAffinity`
+- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled`
+- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity`
+- `podAffinity` has been replaced with `admissionController.podAffinity`
+- `nodeAffinity` has been replaced with `admissionController.nodeAffinity`
+- `startupProbe` has been replaced with `admissionController.startupProbe`
+- `livenessProbe` has been replaced with `admissionController.livenessProbe`
+- `readinessProbe` has been replaced with `admissionController.readinessProbe`
+- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
+- `serviceMonitor` has been replaced with `admissionController.serviceMonitor`
+- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
+- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
+- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
+- `initImage` has been replaced with `admissionController.initContainer.image`
+- `initResources` has been replaced with `admissionController.initContainer.resources`
+- `image` has been replaced with `admissionController.container.image`
+- `image.pullSecrets` has been replaced with `admissionController.imagePullSecrets`
+- `resources` has been replaced with `admissionController.container.resources`
+- `service` has been replaced with `admissionController.service`
+- `metricsService` has been replaced with `admissionController.metricsService`
+- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
+- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
+- `envVars` has been replaced with `admissionController.container.extraEnvVars`
+- `extraArgs` has been replaced with `admissionController.container.extraArgs`
+- `extraInitContainers` has been replaced with `admissionController.extraInitContainers`
+- `extraContainers` has been replaced with `admissionController.extraContainers`
+- `podLabels` has been replaced with `admissionController.podLabels`
+- `podAnnotations` has been replaced with `admissionController.podAnnotations`
+- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
+- `rbac` has been replaced with `admissionController.rbac`
+- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`
+- all `extraArgs` now use objects instead of arrays
+- logging, tracing and metering are now configured using `*Controller.logging`, `*Controller.tracing` and `*Controller.metering`
+
+- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
+
+- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value.
+
+- Image references are now using the `registry` setting, if you override the registry or repository fields please use `registry` (`--set image.registry=ghcr.io --set image.repository=kyverno/kyverno` instead of `--set image.repository=ghcr.io/kyverno/kyverno`).
+
+- Admission controller `Deployment` name changed from `kyverno` to `kyverno-admission-controller`.
+- `config.excludeUsername` was renamed to `config.excludeUsernames`
+- `config.excludeGroupRole` was renamed to `config.excludeGroups`
+
+Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `kyverno` deployment:
@@ -117,122 +250,303 @@ The command removes all the Kubernetes components associated with the chart and
 
 ## Values
 
+The chart values are organised per component.
+
+### Custom resource definitions
+
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| nameOverride | string | `nil` | Override the name of the chart |
-| fullnameOverride | string | `nil` | Override the expanded name of the chart |
-| namespace | string | `nil` | Namespace the chart deploys to |
-| customLabels | object | `{}` | Additional labels |
-| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
-| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
-| rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
-| rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
-| image.registry | string | `nil` | Image registry |
-| image.repository | string | `"ghcr.io/kyverno/kyverno"` | Image repository |
-| image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
-| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| image.pullSecrets | list | `[]` | Image pull secrets |
-| initImage.registry | string | `nil` | Image registry |
-| initImage.repository | string | `"ghcr.io/kyverno/kyvernopre"` | Image repository |
-| initImage.tag | string | `nil` | Image tag If initImage.tag is missing, defaults to image.tag |
-| initImage.pullPolicy | string | `nil` | Image pull policy If initImage.pullPolicy is missing, defaults to image.pullPolicy |
-| initContainer.extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the kyvernopre binary. |
-| testImage.registry | string | `nil` | Image registry |
-| testImage.repository | string | `"busybox"` | Image repository |
-| testImage.tag | string | `nil` | Image tag Defaults to `latest` if omitted |
-| testImage.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
-| replicaCount | int | `nil` | Desired number of pods |
-| podLabels | object | `{}` | Additional labels to add to each pod |
-| podAnnotations | object | `{}` | Additional annotations to add to each pod |
-| podSecurityContext | object | `{}` | Security context for the pod |
-| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
-| testSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
-| priorityClassName | string | `""` | Optional priority class to be used for kyverno pods |
-| antiAffinity.enable | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
-| podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
-| podAffinity | object | `{}` | Pod affinity constraints. |
-| nodeAffinity | object | `{}` | Node affinity constraints. |
-| podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for kyverno disruptions. Cannot be used if `maxUnavailable` is set. |
-| podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for kyverno disruptions. Cannot be used if `minAvailable` is set. |
-| nodeSelector | object | `{}` | Node labels for pod assignment |
-| tolerations | list | `[]` | List of node taints to tolerate |
-| hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
-| dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
-| envVarsInit | object | `{}` | Env variables for initContainers. |
-| envVars | object | `{}` | Env variables for containers. |
-| extraArgs | list | `["--loggingFormat=text"]` | Extra arguments to give to the binary. |
-| extraInitContainers | list | `[]` | Array of extra init containers |
-| extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
-| imagePullSecrets | object | `{}` | Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
-| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verify and imageData policies. This will define the `--imagePullSecrets` Kyverno argument. |
-| resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
-| resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
-| initResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
-| initResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
-| testResources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
-| testResources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
-| startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
-| livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
-| readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
-| generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
-| excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
-| resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
-| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
+| crds.install | bool | `true` | Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created |
+| crds.groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | Install CRDs in group `kyverno.io` |
+| crds.groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | Install CRDs in group `reports.kyverno.io` |
+| crds.groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | Install CRDs in group `wgpolicyk8s.io` |
+| crds.annotations | object | `{}` | Additional CRDs annotations |
+| crds.customLabels | object | `{}` | Additional CRDs labels |
+| crds.migration.enabled | bool | `true` | Enable CRDs migration using helm post upgrade hook |
+| crds.migration.resources | list | `["cleanuppolicies.kyverno.io","clustercleanuppolicies.kyverno.io","clusterpolicies.kyverno.io","globalcontextentries.kyverno.io","policies.kyverno.io","policyexceptions.kyverno.io","updaterequests.kyverno.io"]` | Resources to migrate |
+| crds.migration.image.registry | string | `"ghcr.io"` | Image registry |
+| crds.migration.image.repository | string | `"kyverno/kyverno-cli"` | Image repository |
+| crds.migration.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| crds.migration.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| crds.migration.imagePullSecrets | list | `[]` | Image pull secrets |
+| crds.migration.podSecurityContext | object | `{}` | Security context for the pod |
+| crds.migration.nodeSelector | object | `{}` | Node labels for pod assignment |
+| crds.migration.tolerations | list | `[]` | List of node taints to tolerate |
+| crds.migration.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| crds.migration.podAffinity | object | `{}` | Pod affinity constraints. |
+| crds.migration.podLabels | object | `{}` | Pod labels. |
+| crds.migration.podAnnotations | object | `{}` | Pod annotations. |
+| crds.migration.nodeAffinity | object | `{}` | Node affinity constraints. |
+| crds.migration.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
+
+### Config
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| config.create | bool | `true` | Create the configmap. |
+| config.preserve | bool | `true` | Preserve the configmap settings during upgrade. |
+| config.name | string | `nil` | The configmap name (required if `create` is `false`). |
+| config.annotations | object | `{}` | Additional annotations to add to the configmap. |
 | config.enableDefaultRegistryMutation | bool | `true` | Enable registry mutation for container images. Enabled by default. |
-| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
-| config.existingConfig | string | `""` | Name of an existing config map (ignores default/provided resourceFilters) |
-| config.annotations | object | `{}` | Additional annotations to add to the configmap |
-| config.excludeGroupRole | string | `nil` | Exclude group role |
-| config.excludeUsername | string | `nil` | Exclude username |
-| config.webhooks | string | `nil` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| config.defaultRegistry | string | `"docker.io"` | The registry hostname used for the image mutation. |
+| config.excludeGroups | list | `["system:nodes"]` | Exclude groups |
+| config.excludeUsernames | list | `[]` | Exclude usernames |
+| config.excludeRoles | list | `[]` | Exclude roles |
+| config.excludeClusterRoles | list | `[]` | Exclude roles |
 | config.generateSuccessEvents | bool | `false` | Generate success events. |
-| config.metricsConfig | object | `{"annotations":{},"namespaces":{"exclude":[],"include":[]}}` | Metrics config. |
-| config.metricsConfig.annotations | object | `{}` | Additional annotations to add to the metricsconfigmap |
-| updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
-| service.port | int | `443` | Service port. |
-| service.type | string | `"ClusterIP"` | Service type. |
-| service.nodePort | string | `nil` | Service node port. Only used if `service.type` is `NodePort`. |
-| service.annotations | object | `{}` | Service annotations. |
-| topologySpreadConstraints | list | `[]` | Topology spread constraints. |
-| metricsService.create | bool | `true` | Create service. |
-| metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
-| metricsService.type | string | `"ClusterIP"` | Service type. |
-| metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
-| metricsService.annotations | object | `{}` | Service annotations. |
-| serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
-| serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
-| serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
-| serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
-| serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
-| createSelfSignedCert | bool | `false` | Kyverno requires a certificate key pair and corresponding certificate authority to properly register its webhooks. This can be done in one of 3 ways: 1) Use kube-controller-manager to generate a CA-signed certificate (preferred) 2) Provide your own CA and cert.    In this case, you will need to create a certificate with a specific name and data structure.    As long as you follow the naming scheme, it will be automatically picked up.    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt) 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false |
-| installCRDs | bool | `true` | Whether to have Helm install the Kyverno CRDs. If the CRDs are not installed by Helm, they must be added before policies can be created. |
-| crds.annotations | object | `{}` | Additional CRDs annotations. |
-| networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
-| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
-| webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
-| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
-| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
-| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
-| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
-| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
+| config.resourceFilters | list | See [values.yaml](values.yaml) | Resource types to be skipped by the Kyverno policy engine. Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list. These are joined together without spaces, run through `tpl`, and the result is set in the config map. |
+| config.webhooks | list | `[{"namespaceSelector":{"matchExpressions":[{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system"]}]}}]` | Defines the `namespaceSelector` in the webhook configurations. Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element will be forwarded to the webhook configurations. The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default) |
+| config.webhookAnnotations | object | `{"admissions.enforcer/disabled":"true"}` | Defines annotations to set on webhook configurations. |
+| config.webhookLabels | object | `{}` | Defines labels to set on webhook configurations. |
+| config.matchConditions | list | `[]` | Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+). |
+| config.excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
+| config.resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
+| config.resourceFiltersExclude | list | `[]` | resourceFilters exclude list Items to exclude from config.resourceFilters |
+| config.resourceFiltersIncludeNamespaces | list | `[]` | resourceFilter namespace include Namespaces to include to the default resourceFilters |
+| config.resourceFiltersInclude | list | `[]` | resourceFilters include list Items to include to config.resourceFilters |
+
+### Metrics config
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| metricsConfig.create | bool | `true` | Create the configmap. |
+| metricsConfig.name | string | `nil` | The configmap name (required if `create` is `false`). |
+| metricsConfig.annotations | object | `{}` | Additional annotations to add to the configmap. |
+| metricsConfig.namespaces.include | list | `[]` | List of namespaces to capture metrics for. |
+| metricsConfig.namespaces.exclude | list | `[]` | list of namespaces to NOT capture metrics for. |
+| metricsConfig.metricsRefreshInterval | string | `nil` | Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0 |
+| metricsConfig.bucketBoundaries | list | `[0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10,15,20,25,30]` | Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller |
+| metricsConfig.metricsExposure | map | `nil` | Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller |
+
+### Features
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| features.admissionReports.enabled | bool | `true` | Enables the feature |
+| features.aggregateReports.enabled | bool | `true` | Enables the feature |
+| features.policyReports.enabled | bool | `true` | Enables the feature |
+| features.validatingAdmissionPolicyReports.enabled | bool | `false` | Enables the feature |
+| features.autoUpdateWebhooks.enabled | bool | `true` | Enables the feature |
+| features.backgroundScan.enabled | bool | `true` | Enables the feature |
+| features.backgroundScan.backgroundScanWorkers | int | `2` | Number of background scan workers |
+| features.backgroundScan.backgroundScanInterval | string | `"1h"` | Background scan interval |
+| features.backgroundScan.skipResourceFilters | bool | `true` | Skips resource filters in background scan |
+| features.configMapCaching.enabled | bool | `true` | Enables the feature |
+| features.deferredLoading.enabled | bool | `true` | Enables the feature |
+| features.dumpPayload.enabled | bool | `false` | Enables the feature |
+| features.forceFailurePolicyIgnore.enabled | bool | `false` | Enables the feature |
+| features.generateValidatingAdmissionPolicy.enabled | bool | `false` | Enables the feature |
+| features.globalContext.maxApiCallResponseLength | int | `2000000` | Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended) |
+| features.logging.format | string | `"text"` | Logging format |
+| features.logging.verbosity | int | `2` | Logging verbosity |
+| features.omitEvents.eventTypes | list | `["PolicyApplied","PolicySkipped"]` | Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`) |
+| features.policyExceptions.enabled | bool | `true` | Enables the feature |
+| features.policyExceptions.namespace | string | `""` | Restrict policy exceptions to a single namespace |
+| features.protectManagedResources.enabled | bool | `false` | Enables the feature |
+| features.registryClient.allowInsecure | bool | `false` | Allow insecure registry |
+| features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
+| features.ttlController.reconciliationInterval | string | `"1m"` | Reconciliation interval for the label based cleanup manager |
+| features.tuf.enabled | bool | `false` | Enables the feature |
+| features.tuf.root | string | `nil` | Tuf root |
+| features.tuf.mirror | string | `nil` | Tuf mirror |
+
+### Admission controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| admissionController.featuresOverride | object | `{"admissionReports":{"backPressureThreshold":1000}}` | Overrides features defined at the root level |
+| admissionController.featuresOverride.admissionReports.backPressureThreshold | int | `1000` | Max number of admission reports allowed in flight until the admission controller stops creating new ones |
+| admissionController.rbac.create | bool | `true` | Create RBAC resources |
+| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
+| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| admissionController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
+| admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
+| admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
+| admissionController.replicas | int | `nil` | Desired number of pods |
+| admissionController.revisionHistoryLimit | int | `10` | The number of revisions to keep |
+| admissionController.podLabels | object | `{}` | Additional labels to add to each pod |
+| admissionController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| admissionController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| admissionController.priorityClassName | string | `""` | Optional priority class |
+| admissionController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities. This will help ensure Kyverno stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ |
+| admissionController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration |
+| admissionController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| admissionController.webhookServer | object | `{"port":9443}` | admissionController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to |
+| admissionController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| admissionController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| admissionController.livenessProbe | object | See [values.yaml](values.yaml) | Liveness probe. The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| admissionController.readinessProbe | object | See [values.yaml](values.yaml) | Readiness Probe. The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
+| admissionController.nodeSelector | object | `{}` | Node labels for pod assignment |
+| admissionController.tolerations | list | `[]` | List of node taints to tolerate |
+| admissionController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| admissionController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| admissionController.podAffinity | object | `{}` | Pod affinity constraints. |
+| admissionController.nodeAffinity | object | `{}` | Node affinity constraints. |
+| admissionController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| admissionController.podSecurityContext | object | `{}` | Security context for the pod |
+| admissionController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
+| admissionController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
+| admissionController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| admissionController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| admissionController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
+| admissionController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates |
+| admissionController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.admissionController.caCertificates.data` is defined |
+| admissionController.imagePullSecrets | list | `[]` | Image pull secrets |
+| admissionController.initContainer.image.registry | string | `"ghcr.io"` | Image registry |
+| admissionController.initContainer.image.repository | string | `"kyverno/kyvernopre"` | Image repository |
+| admissionController.initContainer.image.tag | string | `nil` | Image tag If missing, defaults to image.tag |
+| admissionController.initContainer.image.pullPolicy | string | `nil` | Image pull policy If missing, defaults to image.pullPolicy |
+| admissionController.initContainer.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| admissionController.initContainer.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| admissionController.initContainer.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context |
+| admissionController.initContainer.extraArgs | object | `{}` | Additional container args. |
+| admissionController.initContainer.extraEnvVars | list | `[]` | Additional container environment variables. |
+| admissionController.container.image.registry | string | `"ghcr.io"` | Image registry |
+| admissionController.container.image.repository | string | `"kyverno/kyverno"` | Image repository |
+| admissionController.container.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| admissionController.container.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| admissionController.container.resources.limits | object | `{"memory":"384Mi"}` | Pod resource limits |
+| admissionController.container.resources.requests | object | `{"cpu":"100m","memory":"128Mi"}` | Pod resource requests |
+| admissionController.container.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context |
+| admissionController.container.extraArgs | object | `{}` | Additional container args. |
+| admissionController.container.extraEnvVars | list | `[]` | Additional container environment variables. |
+| admissionController.extraInitContainers | list | `[]` | Array of extra init containers |
+| admissionController.extraContainers | list | `[]` | Array of extra containers to run alongside kyverno |
+| admissionController.service.port | int | `443` | Service port. |
+| admissionController.service.type | string | `"ClusterIP"` | Service type. |
+| admissionController.service.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| admissionController.service.annotations | object | `{}` | Service annotations. |
+| admissionController.metricsService.create | bool | `true` | Create service. |
+| admissionController.metricsService.port | int | `8000` | Service port. Kyverno's metrics server will be exposed at this port. |
+| admissionController.metricsService.type | string | `"ClusterIP"` | Service type. |
+| admissionController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| admissionController.metricsService.annotations | object | `{}` | Service annotations. |
+| admissionController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| admissionController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| admissionController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| admissionController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| admissionController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| admissionController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| admissionController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| admissionController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| admissionController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| admissionController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping |
+| admissionController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. |
+| admissionController.tracing.enabled | bool | `false` | Enable tracing |
+| admissionController.tracing.address | string | `nil` | Traces receiver address |
+| admissionController.tracing.port | string | `nil` | Traces receiver port |
+| admissionController.tracing.creds | string | `""` | Traces receiver credentials |
+| admissionController.metering.disabled | bool | `false` | Disable metrics export |
+| admissionController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
+| admissionController.metering.port | int | `8000` | Prometheus endpoint port |
+| admissionController.metering.collector | string | `""` | Otel collector endpoint |
+| admissionController.metering.creds | string | `""` | Otel collector credentials |
+| admissionController.profiling.enabled | bool | `false` | Enable profiling |
+| admissionController.profiling.port | int | `6060` | Profiling endpoint port |
+| admissionController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| admissionController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+
+### Background controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| backgroundController.featuresOverride | object | `{}` | Overrides features defined at the root level |
+| backgroundController.enabled | bool | `true` | Enable background controller. |
+| backgroundController.rbac.create | bool | `true` | Create RBAC resources |
+| backgroundController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| backgroundController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| backgroundController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
+| backgroundController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
+| backgroundController.image.registry | string | `"ghcr.io"` | Image registry |
+| backgroundController.image.repository | string | `"kyverno/background-controller"` | Image repository |
+| backgroundController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| backgroundController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| backgroundController.imagePullSecrets | list | `[]` | Image pull secrets |
+| backgroundController.replicas | int | `nil` | Desired number of pods |
+| backgroundController.revisionHistoryLimit | int | `10` | The number of revisions to keep |
+| backgroundController.podLabels | object | `{}` | Additional labels to add to each pod |
+| backgroundController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| backgroundController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| backgroundController.priorityClassName | string | `""` | Optional priority class |
+| backgroundController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| backgroundController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| backgroundController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
+| backgroundController.extraEnvVars | list | `[]` | Additional container environment variables. |
+| backgroundController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
+| backgroundController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
+| backgroundController.nodeSelector | object | `{}` | Node labels for pod assignment |
+| backgroundController.tolerations | list | `[]` | List of node taints to tolerate |
+| backgroundController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| backgroundController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| backgroundController.podAffinity | object | `{}` | Pod affinity constraints. |
+| backgroundController.nodeAffinity | object | `{}` | Node affinity constraints. |
+| backgroundController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| backgroundController.podSecurityContext | object | `{}` | Security context for the pod |
+| backgroundController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| backgroundController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
+| backgroundController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
+| backgroundController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| backgroundController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates |
+| backgroundController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.backgroundController.caCertificates.data` is defined |
+| backgroundController.metricsService.create | bool | `true` | Create service. |
+| backgroundController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
+| backgroundController.metricsService.type | string | `"ClusterIP"` | Service type. |
+| backgroundController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
+| backgroundController.metricsService.annotations | object | `{}` | Service annotations. |
+| backgroundController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| backgroundController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| backgroundController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| backgroundController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| backgroundController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| backgroundController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| backgroundController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| backgroundController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| backgroundController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| backgroundController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping |
+| backgroundController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. |
+| backgroundController.tracing.enabled | bool | `false` | Enable tracing |
+| backgroundController.tracing.address | string | `nil` | Traces receiver address |
+| backgroundController.tracing.port | string | `nil` | Traces receiver port |
+| backgroundController.tracing.creds | string | `""` | Traces receiver credentials |
+| backgroundController.metering.disabled | bool | `false` | Disable metrics export |
+| backgroundController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
+| backgroundController.metering.port | int | `8000` | Prometheus endpoint port |
+| backgroundController.metering.collector | string | `""` | Otel collector endpoint |
+| backgroundController.metering.creds | string | `""` | Otel collector credentials |
+| backgroundController.server | object | `{"port":9443}` | backgroundController server port in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to |
+| backgroundController.profiling.enabled | bool | `false` | Enable profiling |
+| backgroundController.profiling.port | int | `6060` | Profiling endpoint port |
+| backgroundController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| backgroundController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+
+### Cleanup controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| cleanupController.featuresOverride | object | `{}` | Overrides features defined at the root level |
 | cleanupController.enabled | bool | `true` | Enable cleanup controller. |
 | cleanupController.rbac.create | bool | `true` | Create RBAC resources |
 | cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| cleanupController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
 | cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | cleanupController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
-| cleanupController.image.registry | string | `nil` | Image registry |
-| cleanupController.image.repository | string | `"ghcr.io/kyverno/cleanup-controller"` | Image repository |
+| cleanupController.image.registry | string | `"ghcr.io"` | Image registry |
+| cleanupController.image.repository | string | `"kyverno/cleanup-controller"` | Image repository |
 | cleanupController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
 | cleanupController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
-| cleanupController.image.pullSecrets | list | `[]` | Image pull secrets |
+| cleanupController.imagePullSecrets | list | `[]` | Image pull secrets |
 | cleanupController.replicas | int | `nil` | Desired number of pods |
+| cleanupController.revisionHistoryLimit | int | `10` | The number of revisions to keep |
+| cleanupController.podLabels | object | `{}` | Additional labels to add to each pod |
+| cleanupController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
 | cleanupController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
 | cleanupController.priorityClassName | string | `""` | Optional priority class |
 | cleanupController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| cleanupController.server | object | `{"port":9443}` | cleanupController server port in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to |
+| cleanupController.webhookServer | object | `{"port":9443}` | cleanupController webhook server port in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to |
 | cleanupController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
-| cleanupController.extraArgs | list | `[]` | Extra arguments passed to the container on the command line |
+| cleanupController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
+| cleanupController.extraEnvVars | list | `[]` | Additional container environment variables. |
 | cleanupController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
 | cleanupController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
 | cleanupController.startupProbe | object | See [values.yaml](values.yaml) | Startup probe. The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want. ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/ |
@@ -247,6 +561,7 @@ The command removes all the Kubernetes components associated with the chart and
 | cleanupController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
 | cleanupController.podSecurityContext | object | `{}` | Security context for the pod |
 | cleanupController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| cleanupController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
 | cleanupController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
 | cleanupController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
 | cleanupController.service.port | int | `443` | Service port. |
@@ -258,29 +573,200 @@ The command removes all the Kubernetes components associated with the chart and
 | cleanupController.metricsService.type | string | `"ClusterIP"` | Service type. |
 | cleanupController.metricsService.nodePort | string | `nil` | Service node port. Only used if `metricsService.type` is `NodePort`. |
 | cleanupController.metricsService.annotations | object | `{}` | Service annotations. |
+| cleanupController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| cleanupController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | cleanupController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
-| cleanupController.serviceMonitor.additionalLabels | string | `nil` | Additional labels |
-| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace (default is the same as kyverno) |
+| cleanupController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| cleanupController.serviceMonitor.namespace | string | `nil` | Override namespace |
 | cleanupController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
 | cleanupController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
 | cleanupController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
 | cleanupController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| cleanupController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping |
+| cleanupController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. |
 | cleanupController.tracing.enabled | bool | `false` | Enable tracing |
 | cleanupController.tracing.address | string | `nil` | Traces receiver address |
 | cleanupController.tracing.port | string | `nil` | Traces receiver port |
 | cleanupController.tracing.creds | string | `""` | Traces receiver credentials |
-| cleanupController.logging.format | string | `"text"` | Logging format |
 | cleanupController.metering.disabled | bool | `false` | Disable metrics export |
 | cleanupController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
 | cleanupController.metering.port | int | `8000` | Prometheus endpoint port |
 | cleanupController.metering.collector | string | `""` | Otel collector endpoint |
 | cleanupController.metering.creds | string | `""` | Otel collector credentials |
+| cleanupController.profiling.enabled | bool | `false` | Enable profiling |
+| cleanupController.profiling.port | int | `6060` | Profiling endpoint port |
+| cleanupController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| cleanupController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+
+### Reports controller
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| reportsController.featuresOverride | object | `{}` | Overrides features defined at the root level |
+| reportsController.enabled | bool | `true` | Enable reports controller. |
+| reportsController.rbac.create | bool | `true` | Create RBAC resources |
+| reportsController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| reportsController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| reportsController.rbac.coreClusterRole.extraResources | list | See [values.yaml](values.yaml) | Extra resource permissions to add in the core cluster role. This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`. |
+| reportsController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
+| reportsController.image.registry | string | `"ghcr.io"` | Image registry |
+| reportsController.image.repository | string | `"kyverno/reports-controller"` | Image repository |
+| reportsController.image.tag | string | `nil` | Image tag Defaults to appVersion in Chart.yaml if omitted |
+| reportsController.image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
+| reportsController.imagePullSecrets | list | `[]` | Image pull secrets |
+| reportsController.replicas | int | `nil` | Desired number of pods |
+| reportsController.revisionHistoryLimit | int | `10` | The number of revisions to keep |
+| reportsController.podLabels | object | `{}` | Additional labels to add to each pod |
+| reportsController.podAnnotations | object | `{}` | Additional annotations to add to each pod |
+| reportsController.updateStrategy | object | See [values.yaml](values.yaml) | Deployment update strategy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy |
+| reportsController.priorityClassName | string | `""` | Optional priority class |
+| reportsController.apiPriorityAndFairness | bool | `false` | Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities. This will help ensure Kyverno reports stability in busy clusters. Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/ |
+| reportsController.priorityLevelConfigurationSpec | object | See [values.yaml](values.yaml) | Priority level configuration. The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want. ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration |
+| reportsController.hostNetwork | bool | `false` | Change `hostNetwork` to `true` when you want the pod to share its host's network namespace. Useful for situations like when you end up dealing with a custom CNI over Amazon EKS. Update the `dnsPolicy` accordingly as well to suit the host network mode. |
+| reportsController.dnsPolicy | string | `"ClusterFirst"` | `dnsPolicy` determines the manner in which DNS resolution happens in the cluster. In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`. For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy. |
+| reportsController.extraArgs | object | `{}` | Extra arguments passed to the container on the command line |
+| reportsController.extraEnvVars | list | `[]` | Additional container environment variables. |
+| reportsController.resources.limits | object | `{"memory":"128Mi"}` | Pod resource limits |
+| reportsController.resources.requests | object | `{"cpu":"100m","memory":"64Mi"}` | Pod resource requests |
+| reportsController.nodeSelector | object | `{}` | Node labels for pod assignment |
+| reportsController.tolerations | list | `[]` | List of node taints to tolerate |
+| reportsController.antiAffinity.enabled | bool | `true` | Pod antiAffinities toggle. Enabled by default but can be disabled if you want to schedule pods to the same node. |
+| reportsController.podAntiAffinity | object | See [values.yaml](values.yaml) | Pod anti affinity constraints. |
+| reportsController.podAffinity | object | `{}` | Pod affinity constraints. |
+| reportsController.nodeAffinity | object | `{}` | Node affinity constraints. |
+| reportsController.topologySpreadConstraints | list | `[]` | Topology spread constraints. |
+| reportsController.podSecurityContext | object | `{}` | Security context for the pod |
+| reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
+| reportsController.podDisruptionBudget.enabled | bool | `false` | Enable PodDisruptionBudget. Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking. |
+| reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
+| reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
+| reportsController.caCertificates.data | string | `nil` | CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates |
+| reportsController.caCertificates.volume | object | `{}` | Volume to be mounted for CA certificates Not used when `.Values.reportsController.caCertificates.data` is defined |
+| reportsController.metricsService.create | bool | `true` | Create service. |
+| reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
+| reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
+| reportsController.metricsService.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+| reportsController.metricsService.annotations | object | `{}` | Service annotations. |
+| reportsController.networkPolicy.enabled | bool | `false` | When true, use a NetworkPolicy to allow ingress to the webhook This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup. |
+| reportsController.networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
+| reportsController.serviceMonitor.enabled | bool | `false` | Create a `ServiceMonitor` to collect Prometheus metrics. |
+| reportsController.serviceMonitor.additionalLabels | object | `{}` | Additional labels |
+| reportsController.serviceMonitor.namespace | string | `nil` | Override namespace |
+| reportsController.serviceMonitor.interval | string | `"30s"` | Interval to scrape metrics |
+| reportsController.serviceMonitor.scrapeTimeout | string | `"25s"` | Timeout if metrics can't be retrieved in given time interval |
+| reportsController.serviceMonitor.secure | bool | `false` | Is TLS required for endpoint |
+| reportsController.serviceMonitor.tlsConfig | object | `{}` | TLS Configuration for endpoint |
+| reportsController.serviceMonitor.relabelings | list | `[]` | RelabelConfigs to apply to samples before scraping |
+| reportsController.serviceMonitor.metricRelabelings | list | `[]` | MetricRelabelConfigs to apply to samples before ingestion. |
+| reportsController.tracing.enabled | bool | `false` | Enable tracing |
+| reportsController.tracing.address | string | `nil` | Traces receiver address |
+| reportsController.tracing.port | string | `nil` | Traces receiver port |
+| reportsController.tracing.creds | string | `nil` | Traces receiver credentials |
+| reportsController.metering.disabled | bool | `false` | Disable metrics export |
+| reportsController.metering.config | string | `"prometheus"` | Otel configuration, can be `prometheus` or `grpc` |
+| reportsController.metering.port | int | `8000` | Prometheus endpoint port |
+| reportsController.metering.collector | string | `nil` | Otel collector endpoint |
+| reportsController.metering.creds | string | `nil` | Otel collector credentials |
+| reportsController.server | object | `{"port":9443}` | reportsController server port in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to |
+| reportsController.profiling.enabled | bool | `false` | Enable profiling |
+| reportsController.profiling.port | int | `6060` | Profiling endpoint port |
+| reportsController.profiling.serviceType | string | `"ClusterIP"` | Service type. |
+| reportsController.profiling.nodePort | string | `nil` | Service node port. Only used if `type` is `NodePort`. |
+
+### Grafana
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
+| grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
+| grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
+| grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
+| grafana.labels | object | `{"grafana_dashboard":"1"}` | Grafana dashboard configmap labels |
+| grafana.grafanaDashboard | object | `{"allowCrossNamespaceImport":true,"create":false,"folder":"kyverno","matchLabels":{"dashboards":"grafana"}}` | create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ |
+
+### Webhooks cleanup
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| webhooksCleanup.enabled | bool | `true` | Create a helm pre-delete hook to cleanup webhooks. |
+| webhooksCleanup.image.registry | string | `nil` | Image registry |
+| webhooksCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| webhooksCleanup.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
+| webhooksCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| webhooksCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
+| webhooksCleanup.podSecurityContext | object | `{}` | Security context for the pod |
+| webhooksCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
+| webhooksCleanup.tolerations | list | `[]` | List of node taints to tolerate |
+| webhooksCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| webhooksCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
+| webhooksCleanup.podLabels | object | `{}` | Pod labels. |
+| webhooksCleanup.podAnnotations | object | `{}` | Pod annotations. |
+| webhooksCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
+| webhooksCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
+
+### Test
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| test.image.registry | string | `nil` | Image registry |
+| test.image.repository | string | `"busybox"` | Image repository |
+| test.image.tag | string | `"1.35"` | Image tag Defaults to `latest` if omitted |
+| test.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| test.resources.limits | object | `{"cpu":"100m","memory":"256Mi"}` | Pod resource limits |
+| test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
+| test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
+
+### Api version override
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| apiVersionOverride.podDisruptionBudget | string | `nil` | Override api version used to create `PodDisruptionBudget`` resources. When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to determine the api version automatically. |
+
+### Cleanup jobs
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+
+### Other
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| global.image.registry | string | `nil` | Global value that allows to set a single image registry across all deployments. When set, it will override any values set under `.image.registry` across the chart. |
+| global.caCertificates.data | string | `nil` | Global CA certificates to use with Kyverno deployments This value is expected to be one large string of CA certificates Individual controller values will override this global value |
+| global.caCertificates.volume | object | `{}` | Global value to set single volume to be mounted for CA certificates for all deployments. Not used when `.Values.global.caCertificates.data` is defined Individual  controller values will override this global value |
+| global.extraEnvVars | list | `[]` | Additional container environment variables to apply to all containers and init containers |
+| global.nodeSelector | object | `{}` | Global node labels for pod assignment. Non-global values will override the global value. |
+| global.tolerations | list | `[]` | Global List of node taints to tolerate. Non-global values will override the global value. |
+| nameOverride | string | `nil` | Override the name of the chart |
+| fullnameOverride | string | `nil` | Override the expanded name of the chart |
+| namespaceOverride | string | `nil` | Override the namespace the chart deploys to |
+| upgrade.fromV2 | bool | `false` | Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed. |
+| imagePullSecrets | object | `{}` | Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
+| existingImagePullSecrets | list | `[]` | Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument |
+| customLabels | object | `{}` | Additional labels |
+| policyReportsCleanup.enabled | bool | `true` | Create a helm post-upgrade hook to cleanup the old policy reports. |
+| policyReportsCleanup.image.registry | string | `nil` | Image registry |
+| policyReportsCleanup.image.repository | string | `"bitnami/kubectl"` | Image repository |
+| policyReportsCleanup.image.tag | string | `"1.30.2"` | Image tag Defaults to `latest` if omitted |
+| policyReportsCleanup.image.pullPolicy | string | `nil` | Image pull policy Defaults to image.pullPolicy if omitted |
+| policyReportsCleanup.imagePullSecrets | list | `[]` | Image pull secrets |
+| policyReportsCleanup.podSecurityContext | object | `{}` | Security context for the pod |
+| policyReportsCleanup.nodeSelector | object | `{}` | Node labels for pod assignment |
+| policyReportsCleanup.tolerations | list | `[]` | List of node taints to tolerate |
+| policyReportsCleanup.podAntiAffinity | object | `{}` | Pod anti affinity constraints. |
+| policyReportsCleanup.podAffinity | object | `{}` | Pod affinity constraints. |
+| policyReportsCleanup.podLabels | object | `{}` | Pod labels. |
+| policyReportsCleanup.podAnnotations | object | `{}` | Pod annotations. |
+| policyReportsCleanup.nodeAffinity | object | `{}` | Node affinity constraints. |
+| policyReportsCleanup.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the hook containers |
 
 ## TLS Configuration
 
-If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
+If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
 
-If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
+If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
 
 ## Default resource filters
 
@@ -312,11 +798,15 @@ It contains an array of string templates that are passed through the `tpl` Helm
 
 Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
 
+Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`.
+
+Add entries to `config.resourceFiltersInclude` that you with to add to `config.resourceFilters`.
+
 ## High availability
 
 Running a highly-available Kyverno installation is crucial in a production environment.
 
-In order to run Kyverno in high availability mode, you should set `replicaCount` to `3` or more.
+In order to run Kyverno in high availability mode, you should set `replicas` to `3` or more for desired components.
 You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones.
 
 Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations.
@@ -327,7 +817,12 @@ Please see https://kyverno.io/docs/installation/#security-vs-operability for mor
 
 ## Requirements
 
-Kubernetes: `>=1.16.0-0`
+Kubernetes: `>=1.25.0-0`
+
+| Repository | Name | Version |
+|------------|------|---------|
+|  | crds | v0.0.0 |
+|  | grafana | v0.0.0 |
 
 ## Maintainers
 
diff --git a/charts/kyverno/README.md.gotmpl b/charts/kyverno/README.md.gotmpl
index 5b86fc6cda99..942c2c057f88 100644
--- a/charts/kyverno/README.md.gotmpl
+++ b/charts/kyverno/README.md.gotmpl
@@ -21,6 +21,10 @@ Access the complete user documentation and guides at: https://kyverno.io.
 
 ## Installing the Chart
 
+**IMPORTANT IMPORTANT IMPORTANT IMPORTANT**
+
+This chart changed significantly between `v2` and `v3`. If you are upgrading from `v2`, please read `Migrating from v2 to v3` section.
+
 **Add the Kyverno Helm repository:**
 
 ```console
@@ -105,6 +109,135 @@ spec:
       - Replace=true
 ```
 
+**Notes on using Azure Kubernetes Service (AKS):**
+
+AKS contains a component known as [Admission Enforcer](https://learn.microsoft.com/en-us/azure/aks/faq#can-admission-controller-webhooks-impact-kube-system-and-internal-aks-namespaces) which will attempt to modify Kyverno's webhooks if not excluded explicitly during Helm installation. If Admissions Enforcer is not disabled, this can lead to several symptoms such as high observed CPU usage and potentially cluster instability. Please see the Kyverno documentation [here](https://kyverno.io/docs/installation/platform-notes/#notes-for-aks-users) for more information and how to set this annotation on webhooks.
+
+## Migrating from v2 to v3
+
+Direct upgrades from v2 of the Helm chart to v3 are not supported due to the number of breaking changes and manual intervention is required. Review and select an option after carefully reading below. Because either method requires down time, an upgrade should only be performed during a maintenance window. Regardless of the chosen option, please read all release notes very carefully to understand the full extent of changes brought by Kyverno 1.10. Release notes can be found at https://github.com/kyverno/kyverno/releases.
+
+**IMPORTANT NOTE**: If you currently use [clone-type](https://kyverno.io/docs/writing-policies/generate/#clone-source) generate rules with synchronization enabled, please do not upgrade to 1.10.0 as there is a bug which may prevent synchronization from occurring on all downstream (generated) resources when the source is updated. Please wait for a future patch where this should be resolved. See [issue 7170](https://github.com/kyverno/kyverno/issues/7170) for further details.
+
+### Option 1 - Uninstallation and Reinstallation
+
+The first option for upgrading, which is the recommended option, involves backing up Kyverno policy resources, uninstalling Kyverno, and reinstalling with v3 of the chart. Policy Reports for policies which have background mode enabled will be regenerated upon the next scan interval.
+
+**Pros**
+
+* Reduced complexity with minimal effort
+* Allows re-checking older policies against new validation webhooks in 1.10
+
+**Cons**
+
+* Policy Reports which contained results only from admission mode and from policies/rules where background scans were disabled will be lost.
+* Requires additional steps if data-type generate rules are used
+
+Follow the procedure below.
+
+1. READ THE COMPLETE RELEASE NOTES FIRST
+2. Backup and export all Kyverno policy resources to a YAML manifest. Use the command `kubectl get pol,cpol,cleanpol,ccleanpol,polex -A -o yaml > kyvernobackup.yaml`.
+   1. Before performing this step, if you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`) disable synchronization first (set `generate.synchronize: false`). If you do not perform this step first, uninstallation of Kyverno in the subsequent step, which removes all policies, will result in deletion of generated resources.
+3. Uninstall your current version of Kyverno.
+4. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
+5. Install the v3 chart with Kyverno 1.10.
+6. Restore your Kyverno policies. Use the command `kubectl create -f kyvernobackup.yaml`.
+   1. Before performing this step, if step 2.1 applied to you, enable synchronization (set `generate.synchronize: true`) AND add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when re-installing these policies with `spec.generateExisting: true`, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this.
+
+### Option 2 - Scale to Zero
+
+In the second option, Kyverno policies do not have to be backed up however you perform more manual work in order to prepare for the upgrade to chart v3.
+
+**Pros**
+
+* Policy Reports which contained results from admission mode will be preserved
+* Kyverno policies do not need to be backed up first
+
+**Cons**
+
+* Older policies will not be revalidated for correctness according to the breaking schema changes. Some policies may not work as they did before.
+* Requires additional steps if data-type generate rules are used
+
+Follow the procedure below.
+
+1. READ THE COMPLETE RELEASE NOTES FIRST
+2. Scale the `kyverno` Deployment to zero replicas.
+3. If coming from 1.9 and you have installed the cleanup controller, scale the `kyverno-cleanup-controller` Deployment to zero replicas.
+4. If step 3 applied to you, now delete the cleanup Deployment.
+5. Review the [New Chart Values](#new-chart-values) section and translate your desired features and configurations to the new format.
+6. Upgrade to the v3 chart by passing the mandatory flag `upgrade.fromV2=true`.
+7. If you use [data-type](https://kyverno.io/docs/writing-policies/generate/#data-source) generate rules with synchronization enabled (`generate.synchronize: true`), after the upgrade modify those policies to add the field `spec.generateExisting: true`. This will cause existing, generated resources to be refreshed with the new labeling system used by Kyverno 1.10. Note that this may increment the `resourceVersion` field on all downstream resources. Also, understand that when making this modification, it could result in additional resources being created at that moment based upon the current match defined in the policy. You may need to further refine the match/exclude blocks of your rules to account for this.
+
+### New Chart Values
+
+In `v3` chart values changed significantly, please read the instructions below to migrate your values:
+
+- `config.metricsConfig` is now `metricsConfig`
+- `resourceFiltersExcludeNamespaces` has been replaced with `config.resourceFiltersExcludeNamespaces`
+- `excludeKyvernoNamespace` has been replaced with `config.excludeKyvernoNamespace`
+- `config.existingConfig` has been replaced with `config.create` and `config.name` to __support bring your own config__
+- `config.existingMetricsConfig` has been replaced with `metricsConfig.create` and `metricsConfig.name` to __support bring your own config__
+- `namespace` has been renamed `namespaceOverride`
+- `installCRDs` has been replaced with `crds.install`
+- `testImage` has been replaced with `test.image`
+- `testResources` has been replaced with `test.resources`
+- `testSecurityContext` has been replaced with `test.securityContext`
+- `replicaCount` has been replaced with `admissionController.replicas`
+- `updateStrategy` has been replaced with `admissionController.updateStrategy`
+- `priorityClassName` has been replaced with `admissionController.priorityClassName`
+- `hostNetwork` has been replaced with `admissionController.hostNetwork`
+- `dnsPolicy` has been replaced with `admissionController.dnsPolicy`
+- `nodeSelector` has been replaced with `admissionController.nodeSelector`
+- `tolerations` has been replaced with `admissionController.tolerations`
+- `topologySpreadConstraints` has been replaced with `admissionController.topologySpreadConstraints`
+- `podDisruptionBudget` has been replaced with `admissionController.podDisruptionBudget`
+- `antiAffinity` has been replaced with `admissionController.antiAffinity`
+- `antiAffinity.enable` has been replaced with `admissionController.antiAffinity.enabled`
+- `podAntiAffinity` has been replaced with `admissionController.podAntiAffinity`
+- `podAffinity` has been replaced with `admissionController.podAffinity`
+- `nodeAffinity` has been replaced with `admissionController.nodeAffinity`
+- `startupProbe` has been replaced with `admissionController.startupProbe`
+- `livenessProbe` has been replaced with `admissionController.livenessProbe`
+- `readinessProbe` has been replaced with `admissionController.readinessProbe`
+- `createSelfSignedCert` has been replaced with `admissionController.createSelfSignedCert`
+- `serviceMonitor` has been replaced with `admissionController.serviceMonitor`
+- `podSecurityContext` has been replaced with `admissionController.podSecurityContext`
+- `tufRootMountPath` has been replaced with `admissionController.tufRootMountPath`
+- `sigstoreVolume` has been replaced with `admissionController.sigstoreVolume`
+- `initImage` has been replaced with `admissionController.initContainer.image`
+- `initResources` has been replaced with `admissionController.initContainer.resources`
+- `image` has been replaced with `admissionController.container.image`
+- `image.pullSecrets` has been replaced with `admissionController.imagePullSecrets`
+- `resources` has been replaced with `admissionController.container.resources`
+- `service` has been replaced with `admissionController.service`
+- `metricsService` has been replaced with `admissionController.metricsService`
+- `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
+- `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
+- `envVars` has been replaced with `admissionController.container.extraEnvVars`
+- `extraArgs` has been replaced with `admissionController.container.extraArgs`
+- `extraInitContainers` has been replaced with `admissionController.extraInitContainers`
+- `extraContainers` has been replaced with `admissionController.extraContainers`
+- `podLabels` has been replaced with `admissionController.podLabels`
+- `podAnnotations` has been replaced with `admissionController.podAnnotations`
+- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
+- `rbac` has been replaced with `admissionController.rbac`
+- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
+- `networkPolicy` has been replaced with `admissionController.networkPolicy`
+- all `extraArgs` now use objects instead of arrays
+- logging, tracing and metering are now configured using `*Controller.logging`, `*Controller.tracing` and `*Controller.metering`
+
+- Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
+
+- Image tags are now validated and must be strings, if you use image tags in the `1.35` form please add quotes around the tag value. 
+
+- Image references are now using the `registry` setting, if you override the registry or repository fields please use `registry` (`--set image.registry=ghcr.io --set image.repository=kyverno/kyverno` instead of `--set image.repository=ghcr.io/kyverno/kyverno`).
+
+- Admission controller `Deployment` name changed from `kyverno` to `kyverno-admission-controller`.
+- `config.excludeUsername` was renamed to `config.excludeUsernames`
+- `config.excludeGroupRole` was renamed to `config.excludeGroups`
+
+Hardcoded defaults for `config.excludeGroups` and `config.excludeUsernames` have been removed, please review those fields if you provide your own exclusions.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `kyverno` deployment:
@@ -115,13 +248,117 @@ $ helm delete -n kyverno kyverno
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
 
-{{ template "chart.valuesSection" . }}
+## Values
+
+The chart values are organised per component.
+
+{{- $other := list -}}
+{{- $crds := list -}}
+{{- $config := list -}}
+{{- $metricsConfig := list -}}
+{{- $features := list -}}
+{{- $admissionController := list -}}
+{{- $backgroundController := list -}}
+{{- $cleanupController := list -}}
+{{- $reportsController := list -}}
+{{- $grafana := list -}}
+{{- $test := list -}}
+{{- $apiVersionOverride := list -}}
+{{- $webhooksCleanup := list -}}
+{{- $cleanupJobs := list -}}
+{{- range .Values -}}
+  {{- if (hasPrefix "admissionController." .Key) -}}
+    {{- $admissionController = append $admissionController . -}}
+  {{- else if (hasPrefix "backgroundController." .Key) -}}
+    {{- $backgroundController = append $backgroundController . -}}
+  {{- else if (hasPrefix "cleanupController." .Key) -}}
+    {{- $cleanupController = append $cleanupController . -}}
+  {{- else if (hasPrefix "reportsController." .Key) -}}
+    {{- $reportsController = append $reportsController . -}}
+  {{- else if (hasPrefix "crds." .Key) -}}
+    {{- $crds = append $crds . -}}
+  {{- else if (hasPrefix "config." .Key) -}}
+    {{- $config = append $config . -}}
+  {{- else if (hasPrefix "metricsConfig." .Key) -}}
+    {{- $metricsConfig = append $metricsConfig . -}}
+  {{- else if (hasPrefix "webhooksCleanup." .Key) -}}
+    {{- $webhooksCleanup = append $webhooksCleanup . -}}
+  {{- else if (hasPrefix "grafana." .Key) -}}
+    {{- $grafana = append $grafana . -}}
+  {{- else if (hasPrefix "features." .Key) -}}
+    {{- $features = append $features . -}}
+  {{- else if (hasPrefix "test." .Key) -}}
+    {{- $test = append $test . -}}
+  {{- else if (hasPrefix "apiVersionOverride." .Key) -}}
+    {{- $apiVersionOverride = append $apiVersionOverride . -}}
+  {{- else if (hasPrefix "cleanupJobs." .Key) -}}
+    {{- $cleanupJobs = append $cleanupJobs . -}}
+  {{- else -}}
+    {{- $other = append $other . -}}
+  {{- end -}}
+{{- end }}
+
+### Custom resource definitions
+
+{{ template "chart.valuesTable" (dict "Values" $crds) }}
+
+### Config
+
+{{ template "chart.valuesTable" (dict "Values" $config) }}
+
+### Metrics config
+
+{{ template "chart.valuesTable" (dict "Values" $metricsConfig) }}
+
+### Features
+
+{{ template "chart.valuesTable" (dict "Values" $features) }}
+
+### Admission controller
+
+{{ template "chart.valuesTable" (dict "Values" $admissionController) }}
+
+### Background controller
+
+{{ template "chart.valuesTable" (dict "Values" $backgroundController) }}
+
+### Cleanup controller
+
+{{ template "chart.valuesTable" (dict "Values" $cleanupController) }}
+
+### Reports controller
+
+{{ template "chart.valuesTable" (dict "Values" $reportsController) }}
+
+### Grafana
+
+{{ template "chart.valuesTable" (dict "Values" $grafana) }}
+
+### Webhooks cleanup
+
+{{ template "chart.valuesTable" (dict "Values" $webhooksCleanup) }}
+
+### Test
+
+{{ template "chart.valuesTable" (dict "Values" $test) }}
+
+### Api version override
+
+{{ template "chart.valuesTable" (dict "Values" $apiVersionOverride) }}
+
+### Cleanup jobs
+
+{{ template "chart.valuesTable" (dict "Values" $cleanupJobs) }}
+
+### Other
+
+{{ template "chart.valuesTable" (dict "Values" $other) }}
 
 ## TLS Configuration
 
-If `createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
+If `admissionController.createSelfSignedCert` is `true`, Helm will take care of the steps of creating an external self-signed certificate described in option 2 of the [installation documentation](https://kyverno.io/docs/installation/#option-2-use-your-own-ca-signed-certificate)
 
-If `createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
+If `admissionController.createSelfSignedCert` is `false`, Kyverno will generate a self-signed CA and a certificate, or you can provide your own TLS CA and signed-key pair and create the secret yourself as described in the [documentation](https://kyverno.io/docs/installation/#customize-the-installation-of-kyverno).
 
 ## Default resource filters
 
@@ -153,11 +390,15 @@ It contains an array of string templates that are passed through the `tpl` Helm
 
 Please consult the [values.yaml](./values.yaml) file before overriding `config.resourceFilters` and use the apropriate templates to build your desired exclusions list.
 
+Add entries to `config.resourceFiltersExclude` that you wish to omit from `config.resourceFilters`.
+
+Add entries to `config.resourceFiltersInclude` that you with to add to `config.resourceFilters`.
+
 ## High availability
 
 Running a highly-available Kyverno installation is crucial in a production environment.
 
-In order to run Kyverno in high availability mode, you should set `replicaCount` to `3` or more.
+In order to run Kyverno in high availability mode, you should set `replicas` to `3` or more for desired components.
 You should also pay attention to anti affinity rules, spreading pods across nodes and availability zones.
 
 Please see https://kyverno.io/docs/installation/#security-vs-operability for more informations.
diff --git a/charts/kyverno/charts/crds/Chart.yaml b/charts/kyverno/charts/crds/Chart.yaml
new file mode 100644
index 000000000000..7054a947fddb
--- /dev/null
+++ b/charts/kyverno/charts/crds/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: crds
+version: v0.0.0
diff --git a/charts/kyverno/charts/crds/README.md b/charts/kyverno/charts/crds/README.md
new file mode 100644
index 000000000000..f12f5c62f62c
--- /dev/null
+++ b/charts/kyverno/charts/crds/README.md
@@ -0,0 +1,16 @@
+# crds
+
+![Version: v0.0.0](https://img.shields.io/badge/Version-v0.0.0-informational?style=flat-square)
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| groups.kyverno | object | `{"cleanuppolicies":true,"clustercleanuppolicies":true,"clusterpolicies":true,"globalcontextentries":true,"policies":true,"policyexceptions":true,"updaterequests":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.reports | object | `{"clusterephemeralreports":true,"ephemeralreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| groups.wgpolicyk8s | object | `{"clusterpolicyreports":true,"policyreports":true}` | This field can be overwritten by setting crds.labels in the parent chart |
+| annotations | object | `{}` | This field can be overwritten by setting crds.annotations in the parent chart |
+| customLabels | object | `{}` | This field can be overwritten by setting crds.labels in the parent chart |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/charts/kyverno/charts/crds/templates/_helpers.tpl b/charts/kyverno/charts/crds/templates/_helpers.tpl
new file mode 100644
index 000000000000..5401de53e8ba
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/_helpers.tpl
@@ -0,0 +1,16 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.crds.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.crds.matchLabels" .)
+  (toYaml .Values.customLabels)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.crds.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "crds")
+) -}}
+{{- end -}}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
new file mode 100644
index 000000000000..5a879f3aec3d
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_cleanuppolicies.yaml
@@ -0,0 +1,2500 @@
+{{- if .Values.groups.kyverno.cleanuppolicies }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: cleanuppolicies.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: CleanupPolicy
+    listKind: CleanupPolicyList
+    plural: cleanuppolicies
+    shortNames:
+    - cleanpol
+    singular: cleanuppolicy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.schedule
+      name: Schedule
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v2
+    schema:
+      openAPIV3Schema:
+        description: CleanupPolicy defines a rule for resource cleanup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy behaviors.
+            properties:
+              conditions:
+                description: Conditions defines the conditions used to select the
+                  resources which will be cleaned up.
+                properties:
+                  all:
+                    description: |-
+                      AllConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, all of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                  any:
+                    description: |-
+                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, at least one of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                type: object
+              context:
+                description: Context defines variables and data sources that can be
+                  used during rule execution.
+                items:
+                  description: |-
+                    ContextEntry adds variables and data sources to a rule Context. Either a
+                    ConfigMap reference or a APILookup must be provided.
+                  properties:
+                    apiCall:
+                      description: |-
+                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                        The data returned is stored in the context with the name for the context entry.
+                      properties:
+                        data:
+                          description: |-
+                            The data object specifies the POST data sent to the server.
+                            Only applicable when the method field is set to POST.
+                          items:
+                            description: RequestData contains the HTTP POST data
+                            properties:
+                              key:
+                                description: Key is a unique identifier for the data
+                                  value
+                                type: string
+                              value:
+                                description: Value is the data value
+                                x-kubernetes-preserve-unknown-fields: true
+                            required:
+                            - key
+                            - value
+                            type: object
+                          type: array
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        method:
+                          default: GET
+                          description: Method is the HTTP request type (GET or POST).
+                            Defaults to GET.
+                          enum:
+                          - GET
+                          - POST
+                          type: string
+                        service:
+                          description: |-
+                            Service is an API call to a JSON web service.
+                            This is used for non-Kubernetes API server calls.
+                            It's mutually exclusive with the URLPath field.
+                          properties:
+                            caBundle:
+                              description: |-
+                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                the server certificate.
+                              type: string
+                            url:
+                              description: |-
+                                URL is the JSON web service URL. A typical form is
+                                `https://{service}.{namespace}:{port}/{path}`.
+                              type: string
+                          required:
+                          - url
+                          type: object
+                        urlPath:
+                          description: |-
+                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                            The format required is the same format used by the `kubectl get --raw` command.
+                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                            for details.
+                            It's mutually exclusive with the Service field.
+                          type: string
+                      type: object
+                    configMap:
+                      description: ConfigMap is the ConfigMap reference.
+                      properties:
+                        name:
+                          description: Name is the ConfigMap name.
+                          type: string
+                        namespace:
+                          description: Namespace is the ConfigMap namespace.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    globalReference:
+                      description: GlobalContextEntryReference is a reference to a
+                        cached global context entry.
+                      properties:
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        name:
+                          description: Name of the global context entry
+                          type: string
+                      type: object
+                    imageRegistry:
+                      description: |-
+                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                        details.
+                      properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry.
+                              type: boolean
+                            providers:
+                              description: |-
+                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.
+                              items:
+                                description: ImageRegistryCredentialsProvidersType
+                                  provides the list of credential providers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: |-
+                                Secrets specifies a list of secrets that are provided for credentials.
+                                Secrets must live in the Kyverno namespace.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the ImageData struct returned as a result of processing
+                            the image reference.
+                          type: string
+                        reference:
+                          description: |-
+                            Reference is image reference to a container image in the registry.
+                            Example: ghcr.io/kyverno/kyverno:latest
+                          type: string
+                      required:
+                      - reference
+                      type: object
+                    name:
+                      description: Name is the variable name.
+                      type: string
+                    variable:
+                      description: Variable defines an arbitrary JMESPath context
+                        variable that can be defined inline.
+                      properties:
+                        default:
+                          description: |-
+                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                            expression evaluates to nil
+                          x-kubernetes-preserve-unknown-fields: true
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JMESPath Expression that can be used to
+                            transform the variable.
+                          type: string
+                        value:
+                          description: Value is any arbitrary JSON object representable
+                            in YAML or JSON form.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  type: object
+                type: array
+              exclude:
+                description: |-
+                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the name or role.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              match:
+                description: |-
+                  MatchResources defines when cleanuppolicy should be applied. The match
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the user name or role.
+                  At least one kind is required.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              schedule:
+                description: The schedule in Cron format
+                type: string
+            required:
+            - schedule
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastExecutionTime:
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.schedule
+      name: Schedule
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    deprecated: true
+    name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: CleanupPolicy defines a rule for resource cleanup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy behaviors.
+            properties:
+              conditions:
+                description: Conditions defines the conditions used to select the
+                  resources which will be cleaned up.
+                properties:
+                  all:
+                    description: |-
+                      AllConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, all of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                  any:
+                    description: |-
+                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, at least one of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                type: object
+              context:
+                description: Context defines variables and data sources that can be
+                  used during rule execution.
+                items:
+                  description: |-
+                    ContextEntry adds variables and data sources to a rule Context. Either a
+                    ConfigMap reference or a APILookup must be provided.
+                  properties:
+                    apiCall:
+                      description: |-
+                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                        The data returned is stored in the context with the name for the context entry.
+                      properties:
+                        data:
+                          description: |-
+                            The data object specifies the POST data sent to the server.
+                            Only applicable when the method field is set to POST.
+                          items:
+                            description: RequestData contains the HTTP POST data
+                            properties:
+                              key:
+                                description: Key is a unique identifier for the data
+                                  value
+                                type: string
+                              value:
+                                description: Value is the data value
+                                x-kubernetes-preserve-unknown-fields: true
+                            required:
+                            - key
+                            - value
+                            type: object
+                          type: array
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        method:
+                          default: GET
+                          description: Method is the HTTP request type (GET or POST).
+                            Defaults to GET.
+                          enum:
+                          - GET
+                          - POST
+                          type: string
+                        service:
+                          description: |-
+                            Service is an API call to a JSON web service.
+                            This is used for non-Kubernetes API server calls.
+                            It's mutually exclusive with the URLPath field.
+                          properties:
+                            caBundle:
+                              description: |-
+                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                the server certificate.
+                              type: string
+                            url:
+                              description: |-
+                                URL is the JSON web service URL. A typical form is
+                                `https://{service}.{namespace}:{port}/{path}`.
+                              type: string
+                          required:
+                          - url
+                          type: object
+                        urlPath:
+                          description: |-
+                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                            The format required is the same format used by the `kubectl get --raw` command.
+                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                            for details.
+                            It's mutually exclusive with the Service field.
+                          type: string
+                      type: object
+                    configMap:
+                      description: ConfigMap is the ConfigMap reference.
+                      properties:
+                        name:
+                          description: Name is the ConfigMap name.
+                          type: string
+                        namespace:
+                          description: Namespace is the ConfigMap namespace.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    globalReference:
+                      description: GlobalContextEntryReference is a reference to a
+                        cached global context entry.
+                      properties:
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        name:
+                          description: Name of the global context entry
+                          type: string
+                      type: object
+                    imageRegistry:
+                      description: |-
+                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                        details.
+                      properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry.
+                              type: boolean
+                            providers:
+                              description: |-
+                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.
+                              items:
+                                description: ImageRegistryCredentialsProvidersType
+                                  provides the list of credential providers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: |-
+                                Secrets specifies a list of secrets that are provided for credentials.
+                                Secrets must live in the Kyverno namespace.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the ImageData struct returned as a result of processing
+                            the image reference.
+                          type: string
+                        reference:
+                          description: |-
+                            Reference is image reference to a container image in the registry.
+                            Example: ghcr.io/kyverno/kyverno:latest
+                          type: string
+                      required:
+                      - reference
+                      type: object
+                    name:
+                      description: Name is the variable name.
+                      type: string
+                    variable:
+                      description: Variable defines an arbitrary JMESPath context
+                        variable that can be defined inline.
+                      properties:
+                        default:
+                          description: |-
+                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                            expression evaluates to nil
+                          x-kubernetes-preserve-unknown-fields: true
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JMESPath Expression that can be used to
+                            transform the variable.
+                          type: string
+                        value:
+                          description: Value is any arbitrary JSON object representable
+                            in YAML or JSON form.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  type: object
+                type: array
+              exclude:
+                description: |-
+                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the name or role.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              match:
+                description: |-
+                  MatchResources defines when cleanuppolicy should be applied. The match
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the user name or role.
+                  At least one kind is required.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              schedule:
+                description: The schedule in Cron format
+                type: string
+            required:
+            - schedule
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastExecutionTime:
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
new file mode 100644
index 000000000000..cb47ef814641
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clustercleanuppolicies.yaml
@@ -0,0 +1,2500 @@
+{{- if .Values.groups.kyverno.clustercleanuppolicies }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: clustercleanuppolicies.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: ClusterCleanupPolicy
+    listKind: ClusterCleanupPolicyList
+    plural: clustercleanuppolicies
+    shortNames:
+    - ccleanpol
+    singular: clustercleanuppolicy
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.schedule
+      name: Schedule
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v2
+    schema:
+      openAPIV3Schema:
+        description: ClusterCleanupPolicy defines rule for resource cleanup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy behaviors.
+            properties:
+              conditions:
+                description: Conditions defines the conditions used to select the
+                  resources which will be cleaned up.
+                properties:
+                  all:
+                    description: |-
+                      AllConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, all of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                  any:
+                    description: |-
+                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, at least one of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                type: object
+              context:
+                description: Context defines variables and data sources that can be
+                  used during rule execution.
+                items:
+                  description: |-
+                    ContextEntry adds variables and data sources to a rule Context. Either a
+                    ConfigMap reference or a APILookup must be provided.
+                  properties:
+                    apiCall:
+                      description: |-
+                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                        The data returned is stored in the context with the name for the context entry.
+                      properties:
+                        data:
+                          description: |-
+                            The data object specifies the POST data sent to the server.
+                            Only applicable when the method field is set to POST.
+                          items:
+                            description: RequestData contains the HTTP POST data
+                            properties:
+                              key:
+                                description: Key is a unique identifier for the data
+                                  value
+                                type: string
+                              value:
+                                description: Value is the data value
+                                x-kubernetes-preserve-unknown-fields: true
+                            required:
+                            - key
+                            - value
+                            type: object
+                          type: array
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        method:
+                          default: GET
+                          description: Method is the HTTP request type (GET or POST).
+                            Defaults to GET.
+                          enum:
+                          - GET
+                          - POST
+                          type: string
+                        service:
+                          description: |-
+                            Service is an API call to a JSON web service.
+                            This is used for non-Kubernetes API server calls.
+                            It's mutually exclusive with the URLPath field.
+                          properties:
+                            caBundle:
+                              description: |-
+                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                the server certificate.
+                              type: string
+                            url:
+                              description: |-
+                                URL is the JSON web service URL. A typical form is
+                                `https://{service}.{namespace}:{port}/{path}`.
+                              type: string
+                          required:
+                          - url
+                          type: object
+                        urlPath:
+                          description: |-
+                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                            The format required is the same format used by the `kubectl get --raw` command.
+                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                            for details.
+                            It's mutually exclusive with the Service field.
+                          type: string
+                      type: object
+                    configMap:
+                      description: ConfigMap is the ConfigMap reference.
+                      properties:
+                        name:
+                          description: Name is the ConfigMap name.
+                          type: string
+                        namespace:
+                          description: Namespace is the ConfigMap namespace.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    globalReference:
+                      description: GlobalContextEntryReference is a reference to a
+                        cached global context entry.
+                      properties:
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        name:
+                          description: Name of the global context entry
+                          type: string
+                      type: object
+                    imageRegistry:
+                      description: |-
+                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                        details.
+                      properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry.
+                              type: boolean
+                            providers:
+                              description: |-
+                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.
+                              items:
+                                description: ImageRegistryCredentialsProvidersType
+                                  provides the list of credential providers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: |-
+                                Secrets specifies a list of secrets that are provided for credentials.
+                                Secrets must live in the Kyverno namespace.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the ImageData struct returned as a result of processing
+                            the image reference.
+                          type: string
+                        reference:
+                          description: |-
+                            Reference is image reference to a container image in the registry.
+                            Example: ghcr.io/kyverno/kyverno:latest
+                          type: string
+                      required:
+                      - reference
+                      type: object
+                    name:
+                      description: Name is the variable name.
+                      type: string
+                    variable:
+                      description: Variable defines an arbitrary JMESPath context
+                        variable that can be defined inline.
+                      properties:
+                        default:
+                          description: |-
+                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                            expression evaluates to nil
+                          x-kubernetes-preserve-unknown-fields: true
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JMESPath Expression that can be used to
+                            transform the variable.
+                          type: string
+                        value:
+                          description: Value is any arbitrary JSON object representable
+                            in YAML or JSON form.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  type: object
+                type: array
+              exclude:
+                description: |-
+                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the name or role.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              match:
+                description: |-
+                  MatchResources defines when cleanuppolicy should be applied. The match
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the user name or role.
+                  At least one kind is required.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              schedule:
+                description: The schedule in Cron format
+                type: string
+            required:
+            - schedule
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastExecutionTime:
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.schedule
+      name: Schedule
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    deprecated: true
+    name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterCleanupPolicy defines rule for resource cleanup.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy behaviors.
+            properties:
+              conditions:
+                description: Conditions defines the conditions used to select the
+                  resources which will be cleaned up.
+                properties:
+                  all:
+                    description: |-
+                      AllConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, all of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                  any:
+                    description: |-
+                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, at least one of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                type: object
+              context:
+                description: Context defines variables and data sources that can be
+                  used during rule execution.
+                items:
+                  description: |-
+                    ContextEntry adds variables and data sources to a rule Context. Either a
+                    ConfigMap reference or a APILookup must be provided.
+                  properties:
+                    apiCall:
+                      description: |-
+                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                        The data returned is stored in the context with the name for the context entry.
+                      properties:
+                        data:
+                          description: |-
+                            The data object specifies the POST data sent to the server.
+                            Only applicable when the method field is set to POST.
+                          items:
+                            description: RequestData contains the HTTP POST data
+                            properties:
+                              key:
+                                description: Key is a unique identifier for the data
+                                  value
+                                type: string
+                              value:
+                                description: Value is the data value
+                                x-kubernetes-preserve-unknown-fields: true
+                            required:
+                            - key
+                            - value
+                            type: object
+                          type: array
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        method:
+                          default: GET
+                          description: Method is the HTTP request type (GET or POST).
+                            Defaults to GET.
+                          enum:
+                          - GET
+                          - POST
+                          type: string
+                        service:
+                          description: |-
+                            Service is an API call to a JSON web service.
+                            This is used for non-Kubernetes API server calls.
+                            It's mutually exclusive with the URLPath field.
+                          properties:
+                            caBundle:
+                              description: |-
+                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                the server certificate.
+                              type: string
+                            url:
+                              description: |-
+                                URL is the JSON web service URL. A typical form is
+                                `https://{service}.{namespace}:{port}/{path}`.
+                              type: string
+                          required:
+                          - url
+                          type: object
+                        urlPath:
+                          description: |-
+                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                            The format required is the same format used by the `kubectl get --raw` command.
+                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                            for details.
+                            It's mutually exclusive with the Service field.
+                          type: string
+                      type: object
+                    configMap:
+                      description: ConfigMap is the ConfigMap reference.
+                      properties:
+                        name:
+                          description: Name is the ConfigMap name.
+                          type: string
+                        namespace:
+                          description: Namespace is the ConfigMap namespace.
+                          type: string
+                      required:
+                      - name
+                      type: object
+                    globalReference:
+                      description: GlobalContextEntryReference is a reference to a
+                        cached global context entry.
+                      properties:
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the JSON response returned from the server. For example
+                            a JMESPath of "items | length(@)" applied to the API server response
+                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                            of deployments across all namespaces.
+                          type: string
+                        name:
+                          description: Name of the global context entry
+                          type: string
+                      type: object
+                    imageRegistry:
+                      description: |-
+                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                        details.
+                      properties:
+                        imageRegistryCredentials:
+                          description: ImageRegistryCredentials provides credentials
+                            that will be used for authentication with registry
+                          properties:
+                            allowInsecureRegistry:
+                              description: AllowInsecureRegistry allows insecure access
+                                to a registry.
+                              type: boolean
+                            providers:
+                              description: |-
+                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                It can be of one of these values: default,google,azure,amazon,github.
+                              items:
+                                description: ImageRegistryCredentialsProvidersType
+                                  provides the list of credential providers required.
+                                enum:
+                                - default
+                                - amazon
+                                - azure
+                                - google
+                                - github
+                                type: string
+                              type: array
+                            secrets:
+                              description: |-
+                                Secrets specifies a list of secrets that are provided for credentials.
+                                Secrets must live in the Kyverno namespace.
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JSON Match Expression that can be used to
+                            transform the ImageData struct returned as a result of processing
+                            the image reference.
+                          type: string
+                        reference:
+                          description: |-
+                            Reference is image reference to a container image in the registry.
+                            Example: ghcr.io/kyverno/kyverno:latest
+                          type: string
+                      required:
+                      - reference
+                      type: object
+                    name:
+                      description: Name is the variable name.
+                      type: string
+                    variable:
+                      description: Variable defines an arbitrary JMESPath context
+                        variable that can be defined inline.
+                      properties:
+                        default:
+                          description: |-
+                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                            expression evaluates to nil
+                          x-kubernetes-preserve-unknown-fields: true
+                        jmesPath:
+                          description: |-
+                            JMESPath is an optional JMESPath Expression that can be used to
+                            transform the variable.
+                          type: string
+                        value:
+                          description: Value is any arbitrary JSON object representable
+                            in YAML or JSON form.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                  type: object
+                type: array
+              exclude:
+                description: |-
+                  ExcludeResources defines when cleanuppolicy should not be applied. The exclude
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the name or role.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              match:
+                description: |-
+                  MatchResources defines when cleanuppolicy should be applied. The match
+                  criteria can include resource information (e.g. kind, name, namespace, labels)
+                  and admission review request information like the user name or role.
+                  At least one kind is required.
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              schedule:
+                description: The schedule in Cron format
+                type: string
+            required:
+            - schedule
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastExecutionTime:
+                format: date-time
+                type: string
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
new file mode 100644
index 000000000000..6cc6fe94c0f1
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_clusterpolicies.yaml
@@ -0,0 +1,17312 @@
+{{- if .Values.groups.kyverno.clusterpolicies }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: clusterpolicies.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: ClusterPolicy
+    listKind: ClusterPolicyList
+    plural: clusterpolicies
+    shortNames:
+    - cpol
+    singular: clusterpolicy
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.admission
+      name: ADMISSION
+      type: boolean
+    - jsonPath: .spec.background
+      name: BACKGROUND
+      type: boolean
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
+      name: READY
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - jsonPath: .spec.failurePolicy
+      name: FAILURE POLICY
+      priority: 1
+      type: string
+    - jsonPath: .status.rulecount.validate
+      name: VALIDATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.mutate
+      name: MUTATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.generate
+      name: GENERATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.verifyimages
+      name: VERIFY IMAGES
+      priority: 1
+      type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterPolicy declares validation, mutation, and generation behaviors
+          for matching resources.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy behaviors.
+            properties:
+              admission:
+                default: true
+                description: |-
+                  Admission controls if rules are applied during admission.
+                  Optional. Default value is "true".
+                type: boolean
+              applyRules:
+                description: |-
+                  ApplyRules controls how rules in a policy are applied. Rule are processed in
+                  the order of declaration. When set to `One` processing stops after a rule has
+                  been applied i.e. the rule matches and results in a pass, fail, or error. When
+                  set to `All` all rules in the policy are processed. The default is `All`.
+                enum:
+                - All
+                - One
+                type: string
+              background:
+                default: true
+                description: |-
+                  Background controls if rules are applied to existing resources during a background scan.
+                  Optional. Default value is "true". The value must be set to "false" if the policy rule
+                  uses variables that are only available in the admission review request (e.g. user name).
+                type: boolean
+              failurePolicy:
+                description: Deprecated, use failurePolicy under the webhookConfiguration
+                  instead.
+                enum:
+                - Ignore
+                - Fail
+                type: string
+              generateExisting:
+                description: Deprecated, use generateExisting under the generate rule
+                  instead
+                type: boolean
+              generateExistingOnPolicyUpdate:
+                description: Deprecated, use generateExisting instead
+                type: boolean
+              mutateExistingOnPolicyUpdate:
+                description: Deprecated, use mutateExistingOnPolicyUpdate under the
+                  mutate rule instead
+                type: boolean
+              rules:
+                description: |-
+                  Rules is a list of Rule instances. A Policy contains multiple rules and
+                  each rule can validate, mutate, or generate resources.
+                items:
+                  description: |-
+                    Rule defines a validation, mutation, or generation control for matching resources.
+                    Each rules contains a match declaration to select resources, and an optional exclude
+                    declaration to specify which resources to exclude.
+                  properties:
+                    celPreconditions:
+                      description: |-
+                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of CEL conditions. It can only be used with the validate.cel subrule
+                      items:
+                        description: MatchCondition represents a condition which must
+                          by fulfilled for a request to be sent to a webhook.
+                        properties:
+                          expression:
+                            description: |-
+                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                              'object' - The object from the incoming request. The value is null for DELETE requests.
+                              'oldObject' - The existing object. The value is null for CREATE requests.
+                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                request resource.
+                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                              Required.
+                            type: string
+                          name:
+                            description: |-
+                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                              as well as providing an identifier for logging purposes. A good name should be descriptive of
+                              the associated expression.
+                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                              Required.
+                            type: string
+                        required:
+                        - expression
+                        - name
+                        type: object
+                      type: array
+                    context:
+                      description: Context defines variables and data sources that
+                        can be used during rule execution.
+                      items:
+                        description: |-
+                          ContextEntry adds variables and data sources to a rule Context. Either a
+                          ConfigMap reference or a APILookup must be provided.
+                        properties:
+                          apiCall:
+                            description: |-
+                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                              The data returned is stored in the context with the name for the context entry.
+                            properties:
+                              data:
+                                description: |-
+                                  The data object specifies the POST data sent to the server.
+                                  Only applicable when the method field is set to POST.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST). Defaults to GET.
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: |-
+                                  Service is an API call to a JSON web service.
+                                  This is used for non-Kubernetes API server calls.
+                                  It's mutually exclusive with the URLPath field.
+                                properties:
+                                  caBundle:
+                                    description: |-
+                                      CABundle is a PEM encoded CA bundle which will be used to validate
+                                      the server certificate.
+                                    type: string
+                                  url:
+                                    description: |-
+                                      URL is the JSON web service URL. A typical form is
+                                      `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
+                              urlPath:
+                                description: |-
+                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  The format required is the same format used by the `kubectl get --raw` command.
+                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
+                                  It's mutually exclusive with the Service field.
+                                type: string
+                            type: object
+                          configMap:
+                            description: ConfigMap is the ConfigMap reference.
+                            properties:
+                              name:
+                                description: Name is the ConfigMap name.
+                                type: string
+                              namespace:
+                                description: Namespace is the ConfigMap namespace.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          globalReference:
+                            description: GlobalContextEntryReference is a reference
+                              to a cached global context entry.
+                            properties:
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              name:
+                                description: Name of the global context entry
+                                type: string
+                            type: object
+                          imageRegistry:
+                            description: |-
+                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                              details.
+                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the ImageData struct returned as a result of processing
+                                  the image reference.
+                                type: string
+                              reference:
+                                description: |-
+                                  Reference is image reference to a container image in the registry.
+                                  Example: ghcr.io/kyverno/kyverno:latest
+                                type: string
+                            required:
+                            - reference
+                            type: object
+                          name:
+                            description: Name is the variable name.
+                            type: string
+                          variable:
+                            description: Variable defines an arbitrary JMESPath context
+                              variable that can be defined inline.
+                            properties:
+                              default:
+                                description: |-
+                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                  expression evaluates to nil
+                                x-kubernetes-preserve-unknown-fields: true
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JMESPath Expression that can be used to
+                                  transform the variable.
+                                type: string
+                              value:
+                                description: Value is any arbitrary JSON object representable
+                                  in YAML or JSON form.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                        type: object
+                      type: array
+                    exclude:
+                      description: |-
+                        ExcludeResources defines when this policy rule should not be applied. The exclude
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the name or role.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: |-
+                            ResourceDescription contains information about the resource being created or modified.
+                            Requires at least one tag to be specified when under MatchResources.
+                            Specifying ResourceDescription directly under match is being deprecated.
+                            Please specify under "any" or "all" instead.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    generate:
+                      description: Generation is used to create new resources.
+                      properties:
+                        apiVersion:
+                          description: APIVersion specifies resource apiVersion.
+                          type: string
+                        clone:
+                          description: |-
+                            Clone specifies the source resource used to populate each generated resource.
+                            At most one of Data or Clone can be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          properties:
+                            name:
+                              description: Name specifies name of the resource.
+                              type: string
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                          type: object
+                        cloneList:
+                          description: CloneList specifies the list of source resource
+                            used to populate each generated resource.
+                          properties:
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels`.
+                                wildcard characters are not supported.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        data:
+                          description: |-
+                            Data provides the resource declaration used to populate each generated resource.
+                            At most one of Data or Clone must be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          x-kubernetes-preserve-unknown-fields: true
+                        generateExisting:
+                          description: |-
+                            GenerateExisting controls whether to trigger the rule in existing resources
+                            If is set to "true" the rule will be triggered and applied to existing matched resources.
+                          type: boolean
+                        kind:
+                          description: Kind specifies resource kind.
+                          type: string
+                        name:
+                          description: Name specifies the resource name.
+                          type: string
+                        namespace:
+                          description: Namespace specifies resource namespace.
+                          type: string
+                        orphanDownstreamOnPolicyDelete:
+                          description: |-
+                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                            Defaults to "false" if not specified.
+                          type: boolean
+                        synchronize:
+                          description: |-
+                            Synchronize controls if generated resources should be kept in-sync with their source resource.
+                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                            data from Data or the resource specified in the Clone declaration.
+                            Optional. Defaults to "false" if not specified.
+                          type: boolean
+                        uid:
+                          description: UID specifies the resource uid.
+                          type: string
+                      type: object
+                    imageExtractors:
+                      additionalProperties:
+                        items:
+                          properties:
+                            jmesPath:
+                              description: |-
+                                JMESPath is an optional JMESPath expression to apply to the image value.
+                                This is useful when the extracted image begins with a prefix like 'docker://'.
+                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                              type: string
+                            key:
+                              description: |-
+                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                Note - this field MUST be unique.
+                              type: string
+                            name:
+                              description: |-
+                                Name is the entry the image will be available under 'images.' in the context.
+                                If this field is not defined, image entries will appear under 'images.custom'.
+                              type: string
+                            path:
+                              description: |-
+                                Path is the path to the object containing the image field in a custom resource.
+                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                Wildcard keys are expanded in case of arrays or objects.
+                              type: string
+                            value:
+                              description: |-
+                                Value is an optional name of the field within 'path' that points to the image URI.
+                                This is useful when a custom 'key' is also defined.
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      description: |-
+                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                        This config is only valid for verifyImages rules.
+                      type: object
+                    match:
+                      description: |-
+                        MatchResources defines when this policy rule should be applied. The match
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the user name or role.
+                        At least one kind is required.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: |-
+                            ResourceDescription contains information about the resource being created or modified.
+                            Requires at least one tag to be specified when under MatchResources.
+                            Specifying ResourceDescription directly under match is being deprecated.
+                            Please specify under "any" or "all" instead.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    mutate:
+                      description: Mutation is used to modify matching resources.
+                      properties:
+                        foreach:
+                          description: ForEach applies mutation rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
+                              logic.
+                            properties:
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              order:
+                                description: |-
+                                  Order defines the iteration order on the list.
+                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
+                              patchStrategicMerge:
+                                description: |-
+                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                x-kubernetes-preserve-unknown-fields: true
+                              patchesJson6902:
+                                description: |-
+                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        mutateExistingOnPolicyUpdate:
+                          description: MutateExistingOnPolicyUpdate controls if the
+                            mutateExisting rule will be applied on policy events.
+                          type: boolean
+                        patchStrategicMerge:
+                          description: |-
+                            PatchStrategicMerge is a strategic merge patch used to modify resources.
+                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                          x-kubernetes-preserve-unknown-fields: true
+                        patchesJson6902:
+                          description: |-
+                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                          type: string
+                        targets:
+                          description: Targets defines the target resources to be
+                            mutated.
+                          items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
+                            properties:
+                              apiVersion:
+                                description: APIVersion specifies resource apiVersion.
+                                type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              kind:
+                                description: Kind specifies resource kind.
+                                type: string
+                              name:
+                                description: Name specifies the resource name.
+                                type: string
+                              namespace:
+                                description: Namespace specifies resource namespace.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                  will be deprecated in the next major release.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                x-kubernetes-preserve-unknown-fields: true
+                              uid:
+                                description: UID specifies the resource uid.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    name:
+                      description: Name is a label to identify the rule, It must be
+                        unique within the policy.
+                      maxLength: 63
+                      type: string
+                    preconditions:
+                      description: |-
+                        Preconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                        of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                        will be deprecated in the next major release.
+                        See: https://kyverno.io/docs/writing-policies/preconditions/
+                      x-kubernetes-preserve-unknown-fields: true
+                    skipBackgroundRequests:
+                      default: true
+                      description: |-
+                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                        The default value is set to "true", it must be set to "false" to apply
+                        generate and mutateExisting rules to those requests.
+                      type: boolean
+                    validate:
+                      description: Validation is used to validate matching resources.
+                      properties:
+                        anyPattern:
+                          description: |-
+                            AnyPattern specifies list of validation patterns. At least one of the patterns
+                            must be satisfied for the validation rule to succeed.
+                          x-kubernetes-preserve-unknown-fields: true
+                        assert:
+                          description: Assert defines a kyverno-json assertion tree.
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        cel:
+                          description: CEL allows validation checks using the Common
+                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                          properties:
+                            auditAnnotations:
+                              description: AuditAnnotations contains CEL expressions
+                                which are used to produce audit annotations for the
+                                audit event of the API request.
+                              items:
+                                description: AuditAnnotation describes how to produce
+                                  an audit annotation for an API request.
+                                properties:
+                                  key:
+                                    description: |-
+                                      key specifies the audit annotation key. The audit annotation keys of
+                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                      The key is combined with the resource name of the
+                                      ValidatingAdmissionPolicy to construct an audit annotation key:
+                                      "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                      and the same audit annotation key, the annotation key will be identical.
+                                      In this case, the first annotation written with the key will be included
+                                      in the audit event and all subsequent annotations with the same key
+                                      will be discarded.
+
+
+                                      Required.
+                                    type: string
+                                  valueExpression:
+                                    description: |-
+                                      valueExpression represents the expression which is evaluated by CEL to
+                                      produce an audit annotation value. The expression must evaluate to either
+                                      a string or null value. If the expression evaluates to a string, the
+                                      audit annotation is included with the string value. If the expression
+                                      evaluates to null or empty string the audit annotation will be omitted.
+                                      The valueExpression may be no longer than 5kb in length.
+                                      If the result of the valueExpression is more than 10kb in length, it
+                                      will be truncated to 10kb.
+
+
+                                      If multiple ValidatingAdmissionPolicyBinding resources match an
+                                      API request, then the valueExpression will be evaluated for
+                                      each binding. All unique values produced by the valueExpressions
+                                      will be joined together in a comma-separated list.
+
+
+                                      Required.
+                                    type: string
+                                required:
+                                - key
+                                - valueExpression
+                                type: object
+                              type: array
+                            expressions:
+                              description: Expressions is a list of CELExpression
+                                types.
+                              items:
+                                description: Validation specifies the CEL expression
+                                  which is used to apply the validation.
+                                properties:
+                                  expression:
+                                    description: "Expression represents the expression
+                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                      expressions have access to the contents of the
+                                      API request/response, organized into CEL variables
+                                      as well as some other useful variables:\n\n\n-
+                                      'object' - The object from the incoming request.
+                                      The value is null for DELETE requests.\n- 'oldObject'
+                                      - The existing object. The value is null for
+                                      CREATE requests.\n- 'request' - Attributes of
+                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                      'params' - Parameter resource referred to by
+                                      the policy binding being evaluated. Only populated
+                                      if the policy has a ParamKind.\n- 'namespaceObject'
+                                      - The namespace object that the incoming object
+                                      belongs to. The value is null for cluster-scoped
+                                      resources.\n- 'variables' - Map of composited
+                                      variables, from its name to its lazily evaluated
+                                      value.\n  For example, a variable named 'foo'
+                                      can be accessed as 'variables.foo'.\n- 'authorizer'
+                                      - A CEL Authorizer. May be used to perform authorization
+                                      checks for the principal (user or service account)
+                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                      'authorizer.requestResource' - A CEL ResourceCheck
+                                      constructed from the 'authorizer' and configured
+                                      with the\n  request resource.\n\n\nThe `apiVersion`,
+                                      `kind`, `metadata.name` and `metadata.generateName`
+                                      are always accessible from the root of the\nobject.
+                                      No other metadata properties are accessible.\n\n\nOnly
+                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                      are accessible.\nAccessible property names are
+                                      escaped according to the following rules when
+                                      accessed in the expression:\n- '__' escapes
+                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
+                                      '-' escapes to '__dash__'\n- '/' escapes to
+                                      '__slash__'\n- Property names that exactly match
+                                      a CEL RESERVED keyword escape to '__{keyword}__'.
+                                      The keywords are:\n\t  \"true\", \"false\",
+                                      \"null\", \"in\", \"as\", \"break\", \"const\",
+                                      \"continue\", \"else\", \"for\", \"function\",
+                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
+                                      \"package\", \"namespace\", \"return\".\nExamples:\n
+                                      \ - Expression accessing a property named \"namespace\":
+                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
+                                      \ - Expression accessing a property named \"x-prop\":
+                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
+                                      \ - Expression accessing a property named \"redact__d\":
+                                      {\"Expression\": \"object.redact__underscores__d
+                                      > 0\"}\n\n\nEquality on arrays with list type
+                                      of 'set' or 'map' ignores element order, i.e.
+                                      [1, 2] == [2, 1].\nConcatenation on arrays with
+                                      x-kubernetes-list-type use the semantics of
+                                      the list type:\n  - 'set': `X + Y` performs
+                                      a union where the array positions of all elements
+                                      in `X` are preserved and\n    non-intersecting
+                                      elements in `Y` are appended, retaining their
+                                      partial order.\n  - 'map': `X + Y` performs
+                                      a merge where the array positions of all keys
+                                      in `X` are preserved but the values\n    are
+                                      overwritten by values in `Y` when the key sets
+                                      of `X` and `Y` intersect. Elements in `Y` with\n
+                                      \   non-intersecting keys are appended, retaining
+                                      their partial order.\nRequired."
+                                    type: string
+                                  message:
+                                    description: |-
+                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                      line breaks. The message must not contain line breaks.
+                                      If unset, the message is "failed rule: {Rule}".
+                                      e.g. "must be a URL with the host matching spec.host"
+                                      If the Expression contains line breaks. Message is required.
+                                      The message must not contain line breaks.
+                                      If unset, the message is "failed Expression: {Expression}".
+                                    type: string
+                                  messageExpression:
+                                    description: |-
+                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                      Since messageExpression is used as a failure message, it must evaluate to a string.
+                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                      Example:
+                                      "object.x must be less than max ("+string(params.max)+")"
+                                    type: string
+                                  reason:
+                                    description: |-
+                                      Reason represents a machine-readable description of why this validation failed.
+                                      If this is the first validation in the list to fail, this reason, as well as the
+                                      corresponding HTTP response code, are used in the
+                                      HTTP response to the client.
+                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                      If not set, StatusReasonInvalid is used in the response to the client.
+                                    type: string
+                                required:
+                                - expression
+                                type: object
+                              type: array
+                            paramKind:
+                              description: ParamKind is a tuple of Group Kind and
+                                Version.
+                              properties:
+                                apiVersion:
+                                  description: |-
+                                    APIVersion is the API group version the resources belong to.
+                                    In format of "group/version".
+                                    Required.
+                                  type: string
+                                kind:
+                                  description: |-
+                                    Kind is the API kind the resources belong to.
+                                    Required.
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            paramRef:
+                              description: ParamRef references a parameter resource.
+                              properties:
+                                name:
+                                  description: |-
+                                    `name` is the name of the resource being referenced.
+
+
+                                    `name` and `selector` are mutually exclusive properties. If one is set,
+                                    the other must be unset.
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    namespace is the namespace of the referenced resource. Allows limiting
+                                    the search for params to a specific namespace. Applies to both `name` and
+                                    `selector` fields.
+
+
+                                    A per-namespace parameter may be used by specifying a namespace-scoped
+                                    `paramKind` in the policy and leaving this field empty.
+
+
+                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                    field results in a configuration error.
+
+
+                                    - If `paramKind` is namespace-scoped, the namespace of the object being
+                                    evaluated for admission will be used when this field is left unset. Take
+                                    care that if this is left empty the binding must not match any cluster-scoped
+                                    resources, which will result in an error.
+                                  type: string
+                                parameterNotFoundAction:
+                                  description: |-
+                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                    exists, and name or selector is valid, but there are no parameters
+                                    matched by the binding. If the value is set to `Allow`, then no
+                                    matched parameters will be treated as successful validation by the binding.
+                                    If set to `Deny`, then no matched parameters will be subject to the
+                                    `failurePolicy` of the policy.
+
+
+                                    Allowed values are `Allow` or `Deny`
+                                    Default to `Deny`
+                                  type: string
+                                selector:
+                                  description: |-
+                                    selector can be used to match multiple param objects based on their labels.
+                                    Supply selector: {} to match all resources of the ParamKind.
+
+
+                                    If multiple params are found, they are all evaluated with the policy expressions
+                                    and the results are ANDed together.
+
+
+                                    One of `name` or `selector` must be set, but `name` and `selector` are
+                                    mutually exclusive properties. If one is set, the other must be unset.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            variables:
+                              description: |-
+                                Variables contain definitions of variables that can be used in composition of other expressions.
+                                Each variable is defined as a named CEL expression.
+                                The variables defined here will be available under `variables` in other expressions of the policy.
+                              items:
+                                description: Variable is the definition of a variable
+                                  that is used for composition.
+                                properties:
+                                  expression:
+                                    description: |-
+                                      Expression is the expression that will be evaluated as the value of the variable.
+                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                      The variable can be accessed in other expressions through `variables`
+                                      For example, if name is "foo", the variable will be available as `variables.foo`
+                                    type: string
+                                required:
+                                - expression
+                                - name
+                                type: object
+                              type: array
+                          type: object
+                        deny:
+                          description: Deny defines conditions used to pass or fail
+                            a validation rule.
+                          properties:
+                            conditions:
+                              description: |-
+                                Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                but will be deprecated in the next major release.
+                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                              x-kubernetes-preserve-unknown-fields: true
+                          type: object
+                        foreach:
+                          description: ForEach applies validate rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
+                            properties:
+                              anyPattern:
+                                description: |-
+                                  AnyPattern specifies list of validation patterns. At least one of the patterns
+                                  must be satisfied for the validation rule to succeed.
+                                x-kubernetes-preserve-unknown-fields: true
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              deny:
+                                description: Deny defines conditions used to pass
+                                  or fail a validation rule.
+                                properties:
+                                  conditions:
+                                    description: |-
+                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                      but will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              elementScope:
+                                description: |-
+                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                  When set to "false", "request.object" is used as the validation scope within the foreach
+                                  block to allow referencing other elements in the subtree.
+                                type: boolean
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              pattern:
+                                description: Pattern specifies an overlay-style pattern
+                                  used to check resources.
+                                x-kubernetes-preserve-unknown-fields: true
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        manifests:
+                          description: Manifest specifies conditions for manifest
+                            verification
+                          properties:
+                            annotationDomain:
+                              description: AnnotationDomain is custom domain of annotation
+                                for message and signature. Default is "cosign.sigstore.dev".
+                              type: string
+                            attestors:
+                              description: Attestors specified the required attestors
+                                (i.e. authorities)
+                              items:
+                                properties:
+                                  count:
+                                    description: |-
+                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                    minimum: 1
+                                    type: integer
+                                  entries:
+                                    description: |-
+                                      Entries contains the available attestors. An attestor can be a static key,
+                                      attributes for keyless verification, or a nested attestor declaration.
+                                    items:
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            Annotations are used for image verification.
+                                            Every specified key-value pair must exist and match in the verified payload.
+                                            The payload may contain other key-value pairs.
+                                          type: object
+                                        attestor:
+                                          description: Attestor is a nested set of
+                                            Attestor used to specify a more complex
+                                            set of match authorities.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        certificates:
+                                          description: Certificates specifies one
+                                            or more certificates.
+                                          properties:
+                                            cert:
+                                              description: Cert is an optional PEM-encoded
+                                                public certificate.
+                                              type: string
+                                            certChain:
+                                              description: CertChain is an optional
+                                                PEM encoded set of certificates used
+                                                to verify.
+                                              type: string
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                          type: object
+                                        keyless:
+                                          description: |-
+                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                          properties:
+                                            additionalExtensions:
+                                              additionalProperties:
+                                                type: string
+                                              description: AdditionalExtensions are
+                                                certificate-extensions used for keyless
+                                                signing.
+                                              type: object
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            issuer:
+                                              description: Issuer is the certificate
+                                                issuer used for keyless signing.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            roots:
+                                              description: |-
+                                                Roots is an optional set of PEM encoded trusted root certificates.
+                                                If not provided, the system roots are used.
+                                              type: string
+                                            subject:
+                                              description: Subject is the verified
+                                                identity used for keyless signing,
+                                                for example the email address.
+                                              type: string
+                                          type: object
+                                        keys:
+                                          description: Keys specifies one or more
+                                            public keys.
+                                          properties:
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            kms:
+                                              description: |-
+                                                KMS provides the URI to the public key stored in a Key Management System. See:
+                                                https://github.com/sigstore/cosign/blob/main/KMS.md
+                                              type: string
+                                            publicKeys:
+                                              description: |-
+                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                When multiple keys are specified each key is processed as a separate staticKey entry
+                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            secret:
+                                              description: Reference to a Secret resource
+                                                that contains a public key
+                                              properties:
+                                                name:
+                                                  description: Name of the secret.
+                                                    The provided secret must contain
+                                                    a key named cosign.pub.
+                                                  type: string
+                                                namespace:
+                                                  description: Namespace name where
+                                                    the Secret exists.
+                                                  type: string
+                                              required:
+                                              - name
+                                              - namespace
+                                              type: object
+                                            signatureAlgorithm:
+                                              default: sha256
+                                              description: Specify signature algorithm
+                                                for public keys. Supported values
+                                                are sha224, sha256, sha384 and sha512.
+                                              type: string
+                                          type: object
+                                        repository:
+                                          description: |-
+                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                            If specified Repository will override other OCI image repository locations for this Attestor.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            dryRun:
+                              description: DryRun configuration
+                              properties:
+                                enable:
+                                  type: boolean
+                                namespace:
+                                  type: string
+                              type: object
+                            ignoreFields:
+                              description: Fields which will be ignored while comparing
+                                manifests.
+                              items:
+                                properties:
+                                  fields:
+                                    items:
+                                      type: string
+                                    type: array
+                                  objects:
+                                    items:
+                                      properties:
+                                        group:
+                                          type: string
+                                        kind:
+                                          type: string
+                                        name:
+                                          type: string
+                                        namespace:
+                                          type: string
+                                        version:
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            repository:
+                              description: |-
+                                Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                The repository can be overridden per Attestor or Attestation.
+                              type: string
+                          type: object
+                        message:
+                          description: Message specifies a custom message to be displayed
+                            on failure.
+                          type: string
+                        pattern:
+                          description: Pattern specifies an overlay-style pattern
+                            used to check resources.
+                          x-kubernetes-preserve-unknown-fields: true
+                        podSecurity:
+                          description: |-
+                            PodSecurity applies exemptions for Kubernetes Pod Security admission
+                            by specifying exclusions for Pod Security Standards controls.
+                          properties:
+                            exclude:
+                              description: Exclude specifies the Pod Security Standard
+                                controls to be excluded.
+                              items:
+                                description: PodSecurityStandard specifies the Pod
+                                  Security Standard controls to be excluded.
+                                properties:
+                                  controlName:
+                                    description: |-
+                                      ControlName specifies the name of the Pod Security Standard control.
+                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                    enum:
+                                    - HostProcess
+                                    - Host Namespaces
+                                    - Privileged Containers
+                                    - Capabilities
+                                    - HostPath Volumes
+                                    - Host Ports
+                                    - AppArmor
+                                    - SELinux
+                                    - /proc Mount Type
+                                    - Seccomp
+                                    - Sysctls
+                                    - Volume Types
+                                    - Privilege Escalation
+                                    - Running as Non-root
+                                    - Running as Non-root user
+                                    type: string
+                                  images:
+                                    description: |-
+                                      Images selects matching containers and applies the container level PSS.
+                                      Each image is the image name consisting of the registry address, repository, image, and tag.
+                                      Empty list matches no containers, PSS checks are applied at the pod level only.
+                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                    items:
+                                      type: string
+                                    type: array
+                                  restrictedField:
+                                    description: |-
+                                      RestrictedField selects the field for the given Pod Security Standard control.
+                                      When not set, all restricted fields for the control are selected.
+                                    type: string
+                                  values:
+                                    description: Values defines the allowed values
+                                      that can be excluded.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - controlName
+                                type: object
+                              type: array
+                            level:
+                              description: |-
+                                Level defines the Pod Security Standard level to be applied to workloads.
+                                Allowed values are privileged, baseline, and restricted.
+                              enum:
+                              - privileged
+                              - baseline
+                              - restricted
+                              type: string
+                            version:
+                              description: |-
+                                Version defines the Pod Security Standard versions that Kubernetes supports.
+                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                              enum:
+                              - v1.19
+                              - v1.20
+                              - v1.21
+                              - v1.22
+                              - v1.23
+                              - v1.24
+                              - v1.25
+                              - v1.26
+                              - v1.27
+                              - v1.28
+                              - v1.29
+                              - latest
+                              type: string
+                          type: object
+                        validationFailureAction:
+                          description: |-
+                            ValidationFailureAction defines if a validation policy rule violation should block
+                            the admission review request (Enforce), or allow (Audit) the admission review request
+                            and report an error in a policy report. Optional.
+                            Allowed values are Audit or Enforce.
+                          enum:
+                          - Audit
+                          - Enforce
+                          type: string
+                        validationFailureActionOverrides:
+                          description: |-
+                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                          items:
+                            properties:
+                              action:
+                                description: ValidationFailureAction defines the policy
+                                  validation failure action
+                                enum:
+                                - audit
+                                - enforce
+                                - Audit
+                                - Enforce
+                                type: string
+                              namespaceSelector:
+                                description: |-
+                                  A label selector is a label query over a set of resources. The result of matchLabels and
+                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                  label selector matches no objects.
+                                properties:
+                                  matchExpressions:
+                                    description: matchExpressions is a list of label
+                                      selector requirements. The requirements are
+                                      ANDed.
+                                    items:
+                                      description: |-
+                                        A label selector requirement is a selector that contains values, a key, and an operator that
+                                        relates the key and values.
+                                      properties:
+                                        key:
+                                          description: key is the label key that the
+                                            selector applies to.
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            operator represents a key's relationship to a set of values.
+                                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            values is an array of string values. If the operator is In or NotIn,
+                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                            the values array must be empty. This array is replaced during a strategic
+                                            merge patch.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      required:
+                                      - key
+                                      - operator
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  matchLabels:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                    type: object
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              namespaces:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    verifyImages:
+                      description: VerifyImages is used to verify image signatures
+                        and mutate them to add a digest
+                      items:
+                        description: |-
+                          ImageVerification validates that images that match the specified pattern
+                          are signed with the supplied public key. Once the image is verified it is
+                          mutated to include the SHA digest retrieved during the registration.
+                        properties:
+                          additionalExtensions:
+                            additionalProperties:
+                              type: string
+                            description: Deprecated.
+                            type: object
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: Deprecated. Use annotations per Attestor
+                              instead.
+                            type: object
+                          attestations:
+                            description: |-
+                              Attestations are optional checks for signed in-toto Statements used to verify the image.
+                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                              OCI registry and decodes them into a list of Statement declarations.
+                            items:
+                              description: |-
+                                Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                OCI registry and decodes them into a list of Statements.
+                              properties:
+                                attestors:
+                                  description: Attestors specify the required attestors
+                                    (i.e. authorities).
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                conditions:
+                                  description: |-
+                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                    the attestation check is satisfied as long there are predicates that match the predicate type.
+                                  items:
+                                    description: |-
+                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                      AllConditions get fulfilled only when all of its sub-conditions pass.
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                predicateType:
+                                  description: Deprecated in favour of 'Type', to
+                                    be removed soon
+                                  type: string
+                                type:
+                                  description: Type defines the type of attestation
+                                    contained within the Statement.
+                                  type: string
+                              type: object
+                            type: array
+                          attestors:
+                            description: Attestors specified the required attestors
+                              (i.e. authorities)
+                            items:
+                              properties:
+                                count:
+                                  description: |-
+                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                  minimum: 1
+                                  type: integer
+                                entries:
+                                  description: |-
+                                    Entries contains the available attestors. An attestor can be a static key,
+                                    attributes for keyless verification, or a nested attestor declaration.
+                                  items:
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations are used for image verification.
+                                          Every specified key-value pair must exist and match in the verified payload.
+                                          The payload may contain other key-value pairs.
+                                        type: object
+                                      attestor:
+                                        description: Attestor is a nested set of Attestor
+                                          used to specify a more complex set of match
+                                          authorities.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      certificates:
+                                        description: Certificates specifies one or
+                                          more certificates.
+                                        properties:
+                                          cert:
+                                            description: Cert is an optional PEM-encoded
+                                              public certificate.
+                                            type: string
+                                          certChain:
+                                            description: CertChain is an optional
+                                              PEM encoded set of certificates used
+                                              to verify.
+                                            type: string
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                        type: object
+                                      keyless:
+                                        description: |-
+                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                        properties:
+                                          additionalExtensions:
+                                            additionalProperties:
+                                              type: string
+                                            description: AdditionalExtensions are
+                                              certificate-extensions used for keyless
+                                              signing.
+                                            type: object
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          issuer:
+                                            description: Issuer is the certificate
+                                              issuer used for keyless signing.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          roots:
+                                            description: |-
+                                              Roots is an optional set of PEM encoded trusted root certificates.
+                                              If not provided, the system roots are used.
+                                            type: string
+                                          subject:
+                                            description: Subject is the verified identity
+                                              used for keyless signing, for example
+                                              the email address.
+                                            type: string
+                                        type: object
+                                      keys:
+                                        description: Keys specifies one or more public
+                                          keys.
+                                        properties:
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          kms:
+                                            description: |-
+                                              KMS provides the URI to the public key stored in a Key Management System. See:
+                                              https://github.com/sigstore/cosign/blob/main/KMS.md
+                                            type: string
+                                          publicKeys:
+                                            description: |-
+                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                              specified or can be a variable reference to a key specified in a ConfigMap (see
+                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                              elsewhere in the cluster by specifying it in the format "k8s:///".
+                                              The named Secret must specify a key `cosign.pub` containing the public key used for
+                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                              When multiple keys are specified each key is processed as a separate staticKey entry
+                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          secret:
+                                            description: Reference to a Secret resource
+                                              that contains a public key
+                                            properties:
+                                              name:
+                                                description: Name of the secret. The
+                                                  provided secret must contain a key
+                                                  named cosign.pub.
+                                                type: string
+                                              namespace:
+                                                description: Namespace name where
+                                                  the Secret exists.
+                                                type: string
+                                            required:
+                                            - name
+                                            - namespace
+                                            type: object
+                                          signatureAlgorithm:
+                                            default: sha256
+                                            description: Specify signature algorithm
+                                              for public keys. Supported values are
+                                              sha224, sha256, sha384 and sha512.
+                                            type: string
+                                        type: object
+                                      repository:
+                                        description: |-
+                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                          If specified Repository will override other OCI image repository locations for this Attestor.
+                                        type: string
+                                    type: object
+                                  type: array
+                              type: object
+                            type: array
+                          cosignOCI11:
+                            description: |-
+                              CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+                              Defaults to false.
+                            type: boolean
+                          image:
+                            description: Deprecated. Use ImageReferences instead.
+                            type: string
+                          imageReferences:
+                            description: |-
+                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                              list must match the image for the rule to apply. Each image reference consists of a registry
+                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry.
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry.
+                                type: boolean
+                              providers:
+                                description: |-
+                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                  It can be of one of these values: default,google,azure,amazon,github.
+                                items:
+                                  description: ImageRegistryCredentialsProvidersType
+                                    provides the list of credential providers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: |-
+                                  Secrets specifies a list of secrets that are provided for credentials.
+                                  Secrets must live in the Kyverno namespace.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          issuer:
+                            description: Deprecated. Use KeylessAttestor instead.
+                            type: string
+                          key:
+                            description: Deprecated. Use StaticKeyAttestor instead.
+                            type: string
+                          mutateDigest:
+                            default: true
+                            description: |-
+                              MutateDigest enables replacement of image tags with digests.
+                              Defaults to true.
+                            type: boolean
+                          repository:
+                            description: |-
+                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                              If specified Repository will override the default OCI image repository configured for the installation.
+                              The repository can also be overridden per Attestor or Attestation.
+                            type: string
+                          required:
+                            default: true
+                            description: Required validates that images are verified
+                              i.e. have matched passed a signature or attestation
+                              check.
+                            type: boolean
+                          roots:
+                            description: Deprecated. Use KeylessAttestor instead.
+                            type: string
+                          skipImageReferences:
+                            description: |-
+                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          subject:
+                            description: Deprecated. Use KeylessAttestor instead.
+                            type: string
+                          type:
+                            description: |-
+                              Type specifies the method of signature validation. The allowed options
+                              are Cosign and Notary. By default Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
+                          useCache:
+                            default: true
+                            description: UseCache enables caching of image verify
+                              responses for this rule.
+                            type: boolean
+                          validationFailureAction:
+                            description: Allowed values are Audit or Enforce.
+                            enum:
+                            - Audit
+                            - Enforce
+                            type: string
+                          verifyDigest:
+                            default: true
+                            description: VerifyDigest validates that images have a
+                              digest.
+                            type: boolean
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  type: object
+                type: array
+              schemaValidation:
+                description: Deprecated.
+                type: boolean
+              useServerSideApply:
+                description: |-
+                  UseServerSideApply controls whether to use server-side apply for generate rules
+                  If is set to "true" create & update for generate rules will use apply instead of create/update.
+                  Defaults to "false" if not specified.
+                type: boolean
+              validationFailureAction:
+                default: Audit
+                description: Deprecated, use validationFailureAction under the validate
+                  rule instead.
+                enum:
+                - audit
+                - enforce
+                - Audit
+                - Enforce
+                type: string
+              validationFailureActionOverrides:
+                description: Deprecated, use validationFailureActionOverrides under
+                  the validate rule instead.
+                items:
+                  properties:
+                    action:
+                      description: ValidationFailureAction defines the policy validation
+                        failure action
+                      enum:
+                      - audit
+                      - enforce
+                      - Audit
+                      - Enforce
+                      type: string
+                    namespaceSelector:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    namespaces:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              webhookConfiguration:
+                description: WebhookConfiguration specifies the custom configuration
+                  for Kubernetes admission webhookconfiguration.
+                properties:
+                  failurePolicy:
+                    description: |-
+                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+                      Rules within the same policy share the same failure behavior.
+                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+                      Allowed values are Ignore or Fail. Defaults to Fail.
+                    enum:
+                    - Ignore
+                    - Fail
+                    type: string
+                  matchConditions:
+                    description: |-
+                      MatchCondition configures admission webhook matchConditions.
+                      Requires Kubernetes 1.27 or later.
+                    items:
+                      description: MatchCondition represents a condition which must
+                        by fulfilled for a request to be sent to a webhook.
+                      properties:
+                        expression:
+                          description: |-
+                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                            'object' - The object from the incoming request. The value is null for DELETE requests.
+                            'oldObject' - The existing object. The value is null for CREATE requests.
+                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                              request resource.
+                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                            Required.
+                          type: string
+                        name:
+                          description: |-
+                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                            as well as providing an identifier for logging purposes. A good name should be descriptive of
+                            the associated expression.
+                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                            Required.
+                          type: string
+                      required:
+                      - expression
+                      - name
+                      type: object
+                    type: array
+                  timeoutSeconds:
+                    description: |-
+                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+                    format: int32
+                    type: integer
+                type: object
+              webhookTimeoutSeconds:
+                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+                  instead.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              autogen:
+                description: AutogenStatus contains autogen status information.
+                properties:
+                  rules:
+                    description: Rules is a list of Rule instances. It contains auto
+                      generated rules added for pod controllers
+                    items:
+                      description: |-
+                        Rule defines a validation, mutation, or generation control for matching resources.
+                        Each rules contains a match declaration to select resources, and an optional exclude
+                        declaration to specify which resources to exclude.
+                      properties:
+                        celPreconditions:
+                          description: |-
+                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of CEL conditions. It can only be used with the validate.cel subrule
+                          items:
+                            description: MatchCondition represents a condition which
+                              must by fulfilled for a request to be sent to a webhook.
+                            properties:
+                              expression:
+                                description: |-
+                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                                  'object' - The object from the incoming request. The value is null for DELETE requests.
+                                  'oldObject' - The existing object. The value is null for CREATE requests.
+                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                    request resource.
+                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                                  Required.
+                                type: string
+                              name:
+                                description: |-
+                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
+                                  the associated expression.
+                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                                  Required.
+                                type: string
+                            required:
+                            - expression
+                            - name
+                            type: object
+                          type: array
+                        context:
+                          description: Context defines variables and data sources
+                            that can be used during rule execution.
+                          items:
+                            description: |-
+                              ContextEntry adds variables and data sources to a rule Context. Either a
+                              ConfigMap reference or a APILookup must be provided.
+                            properties:
+                              apiCall:
+                                description: |-
+                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                  The data returned is stored in the context with the name for the context entry.
+                                properties:
+                                  data:
+                                    description: |-
+                                      The data object specifies the POST data sent to the server.
+                                      Only applicable when the method field is set to POST.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST). Defaults to GET.
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: |-
+                                      Service is an API call to a JSON web service.
+                                      This is used for non-Kubernetes API server calls.
+                                      It's mutually exclusive with the URLPath field.
+                                    properties:
+                                      caBundle:
+                                        description: |-
+                                          CABundle is a PEM encoded CA bundle which will be used to validate
+                                          the server certificate.
+                                        type: string
+                                      url:
+                                        description: |-
+                                          URL is the JSON web service URL. A typical form is
+                                          `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
+                                  urlPath:
+                                    description: |-
+                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      The format required is the same format used by the `kubectl get --raw` command.
+                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
+                                      It's mutually exclusive with the Service field.
+                                    type: string
+                                type: object
+                              configMap:
+                                description: ConfigMap is the ConfigMap reference.
+                                properties:
+                                  name:
+                                    description: Name is the ConfigMap name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace is the ConfigMap namespace.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              globalReference:
+                                description: GlobalContextEntryReference is a reference
+                                  to a cached global context entry.
+                                properties:
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  name:
+                                    description: Name of the global context entry
+                                    type: string
+                                type: object
+                              imageRegistry:
+                                description: |-
+                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                  details.
+                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry.
+                                        type: boolean
+                                      providers:
+                                        description: |-
+                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                          It can be of one of these values: default,google,azure,amazon,github.
+                                        items:
+                                          description: ImageRegistryCredentialsProvidersType
+                                            provides the list of credential providers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: |-
+                                          Secrets specifies a list of secrets that are provided for credentials.
+                                          Secrets must live in the Kyverno namespace.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the ImageData struct returned as a result of processing
+                                      the image reference.
+                                    type: string
+                                  reference:
+                                    description: |-
+                                      Reference is image reference to a container image in the registry.
+                                      Example: ghcr.io/kyverno/kyverno:latest
+                                    type: string
+                                required:
+                                - reference
+                                type: object
+                              name:
+                                description: Name is the variable name.
+                                type: string
+                              variable:
+                                description: Variable defines an arbitrary JMESPath
+                                  context variable that can be defined inline.
+                                properties:
+                                  default:
+                                    description: |-
+                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                      expression evaluates to nil
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JMESPath Expression that can be used to
+                                      transform the variable.
+                                    type: string
+                                  value:
+                                    description: Value is any arbitrary JSON object
+                                      representable in YAML or JSON form.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                            type: object
+                          type: array
+                        exclude:
+                          description: |-
+                            ExcludeResources defines when this policy rule should not be applied. The exclude
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the name or role.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        generate:
+                          description: Generation is used to create new resources.
+                          properties:
+                            apiVersion:
+                              description: APIVersion specifies resource apiVersion.
+                              type: string
+                            clone:
+                              description: |-
+                                Clone specifies the source resource used to populate each generated resource.
+                                At most one of Data or Clone can be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              properties:
+                                name:
+                                  description: Name specifies name of the resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                              type: object
+                            cloneList:
+                              description: CloneList specifies the list of source
+                                resource used to populate each generated resource.
+                              properties:
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels`.
+                                    wildcard characters are not supported.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            data:
+                              description: |-
+                                Data provides the resource declaration used to populate each generated resource.
+                                At most one of Data or Clone must be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              x-kubernetes-preserve-unknown-fields: true
+                            generateExisting:
+                              description: |-
+                                GenerateExisting controls whether to trigger the rule in existing resources
+                                If is set to "true" the rule will be triggered and applied to existing matched resources.
+                              type: boolean
+                            kind:
+                              description: Kind specifies resource kind.
+                              type: string
+                            name:
+                              description: Name specifies the resource name.
+                              type: string
+                            namespace:
+                              description: Namespace specifies resource namespace.
+                              type: string
+                            orphanDownstreamOnPolicyDelete:
+                              description: |-
+                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                                Defaults to "false" if not specified.
+                              type: boolean
+                            synchronize:
+                              description: |-
+                                Synchronize controls if generated resources should be kept in-sync with their source resource.
+                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                                data from Data or the resource specified in the Clone declaration.
+                                Optional. Defaults to "false" if not specified.
+                              type: boolean
+                            uid:
+                              description: UID specifies the resource uid.
+                              type: string
+                          type: object
+                        imageExtractors:
+                          additionalProperties:
+                            items:
+                              properties:
+                                jmesPath:
+                                  description: |-
+                                    JMESPath is an optional JMESPath expression to apply to the image value.
+                                    This is useful when the extracted image begins with a prefix like 'docker://'.
+                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                                  type: string
+                                key:
+                                  description: |-
+                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                    Note - this field MUST be unique.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name is the entry the image will be available under 'images.' in the context.
+                                    If this field is not defined, image entries will appear under 'images.custom'.
+                                  type: string
+                                path:
+                                  description: |-
+                                    Path is the path to the object containing the image field in a custom resource.
+                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                    Wildcard keys are expanded in case of arrays or objects.
+                                  type: string
+                                value:
+                                  description: |-
+                                    Value is an optional name of the field within 'path' that points to the image URI.
+                                    This is useful when a custom 'key' is also defined.
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            type: array
+                          description: |-
+                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                            This config is only valid for verifyImages rules.
+                          type: object
+                        match:
+                          description: |-
+                            MatchResources defines when this policy rule should be applied. The match
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the user name or role.
+                            At least one kind is required.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        mutate:
+                          description: Mutation is used to modify matching resources.
+                          properties:
+                            foreach:
+                              description: ForEach applies mutation rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  order:
+                                    description: |-
+                                      Order defines the iteration order on the list.
+                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
+                                  patchStrategicMerge:
+                                    description: |-
+                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  patchesJson6902:
+                                    description: |-
+                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            mutateExistingOnPolicyUpdate:
+                              description: MutateExistingOnPolicyUpdate controls if
+                                the mutateExisting rule will be applied on policy
+                                events.
+                              type: boolean
+                            patchStrategicMerge:
+                              description: |-
+                                PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                              x-kubernetes-preserve-unknown-fields: true
+                            patchesJson6902:
+                              description: |-
+                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                              type: string
+                            targets:
+                              description: Targets defines the target resources to
+                                be mutated.
+                              items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
+                                properties:
+                                  apiVersion:
+                                    description: APIVersion specifies resource apiVersion.
+                                    type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  kind:
+                                    description: Kind specifies resource kind.
+                                    type: string
+                                  name:
+                                    description: Name specifies the resource name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace specifies resource namespace.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  uid:
+                                    description: UID specifies the resource uid.
+                                    type: string
+                                type: object
+                              type: array
+                          type: object
+                        name:
+                          description: Name is a label to identify the rule, It must
+                            be unique within the policy.
+                          maxLength: 63
+                          type: string
+                        preconditions:
+                          description: |-
+                            Preconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                            will be deprecated in the next major release.
+                            See: https://kyverno.io/docs/writing-policies/preconditions/
+                          x-kubernetes-preserve-unknown-fields: true
+                        skipBackgroundRequests:
+                          default: true
+                          description: |-
+                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                            The default value is set to "true", it must be set to "false" to apply
+                            generate and mutateExisting rules to those requests.
+                          type: boolean
+                        validate:
+                          description: Validation is used to validate matching resources.
+                          properties:
+                            anyPattern:
+                              description: |-
+                                AnyPattern specifies list of validation patterns. At least one of the patterns
+                                must be satisfied for the validation rule to succeed.
+                              x-kubernetes-preserve-unknown-fields: true
+                            assert:
+                              description: Assert defines a kyverno-json assertion
+                                tree.
+                              type: object
+                              x-kubernetes-preserve-unknown-fields: true
+                            cel:
+                              description: CEL allows validation checks using the
+                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                              properties:
+                                auditAnnotations:
+                                  description: AuditAnnotations contains CEL expressions
+                                    which are used to produce audit annotations for
+                                    the audit event of the API request.
+                                  items:
+                                    description: AuditAnnotation describes how to
+                                      produce an audit annotation for an API request.
+                                    properties:
+                                      key:
+                                        description: |-
+                                          key specifies the audit annotation key. The audit annotation keys of
+                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                          The key is combined with the resource name of the
+                                          ValidatingAdmissionPolicy to construct an audit annotation key:
+                                          "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                          and the same audit annotation key, the annotation key will be identical.
+                                          In this case, the first annotation written with the key will be included
+                                          in the audit event and all subsequent annotations with the same key
+                                          will be discarded.
+
+
+                                          Required.
+                                        type: string
+                                      valueExpression:
+                                        description: |-
+                                          valueExpression represents the expression which is evaluated by CEL to
+                                          produce an audit annotation value. The expression must evaluate to either
+                                          a string or null value. If the expression evaluates to a string, the
+                                          audit annotation is included with the string value. If the expression
+                                          evaluates to null or empty string the audit annotation will be omitted.
+                                          The valueExpression may be no longer than 5kb in length.
+                                          If the result of the valueExpression is more than 10kb in length, it
+                                          will be truncated to 10kb.
+
+
+                                          If multiple ValidatingAdmissionPolicyBinding resources match an
+                                          API request, then the valueExpression will be evaluated for
+                                          each binding. All unique values produced by the valueExpressions
+                                          will be joined together in a comma-separated list.
+
+
+                                          Required.
+                                        type: string
+                                    required:
+                                    - key
+                                    - valueExpression
+                                    type: object
+                                  type: array
+                                expressions:
+                                  description: Expressions is a list of CELExpression
+                                    types.
+                                  items:
+                                    description: Validation specifies the CEL expression
+                                      which is used to apply the validation.
+                                    properties:
+                                      expression:
+                                        description: "Expression represents the expression
+                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                          expressions have access to the contents
+                                          of the API request/response, organized into
+                                          CEL variables as well as some other useful
+                                          variables:\n\n\n- 'object' - The object
+                                          from the incoming request. The value is
+                                          null for DELETE requests.\n- 'oldObject'
+                                          - The existing object. The value is null
+                                          for CREATE requests.\n- 'request' - Attributes
+                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                          'params' - Parameter resource referred to
+                                          by the policy binding being evaluated. Only
+                                          populated if the policy has a ParamKind.\n-
+                                          'namespaceObject' - The namespace object
+                                          that the incoming object belongs to. The
+                                          value is null for cluster-scoped resources.\n-
+                                          'variables' - Map of composited variables,
+                                          from its name to its lazily evaluated value.\n
+                                          \ For example, a variable named 'foo' can
+                                          be accessed as 'variables.foo'.\n- 'authorizer'
+                                          - A CEL Authorizer. May be used to perform
+                                          authorization checks for the principal (user
+                                          or service account) of the request.\n  See
+                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                          'authorizer.requestResource' - A CEL ResourceCheck
+                                          constructed from the 'authorizer' and configured
+                                          with the\n  request resource.\n\n\nThe `apiVersion`,
+                                          `kind`, `metadata.name` and `metadata.generateName`
+                                          are always accessible from the root of the\nobject.
+                                          No other metadata properties are accessible.\n\n\nOnly
+                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                          are accessible.\nAccessible property names
+                                          are escaped according to the following rules
+                                          when accessed in the expression:\n- '__'
+                                          escapes to '__underscores__'\n- '.' escapes
+                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
+                                          '/' escapes to '__slash__'\n- Property names
+                                          that exactly match a CEL RESERVED keyword
+                                          escape to '__{keyword}__'. The keywords
+                                          are:\n\t  \"true\", \"false\", \"null\",
+                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
+                                          \"else\", \"for\", \"function\", \"if\",\n\t
+                                          \ \"import\", \"let\", \"loop\", \"package\",
+                                          \"namespace\", \"return\".\nExamples:\n
+                                          \ - Expression accessing a property named
+                                          \"namespace\": {\"Expression\": \"object.__namespace__
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
+                                          > 0\"}\n\n\nEquality on arrays with list
+                                          type of 'set' or 'map' ignores element order,
+                                          i.e. [1, 2] == [2, 1].\nConcatenation on
+                                          arrays with x-kubernetes-list-type use the
+                                          semantics of the list type:\n  - 'set':
+                                          `X + Y` performs a union where the array
+                                          positions of all elements in `X` are preserved
+                                          and\n    non-intersecting elements in `Y`
+                                          are appended, retaining their partial order.\n
+                                          \ - 'map': `X + Y` performs a merge where
+                                          the array positions of all keys in `X` are
+                                          preserved but the values\n    are overwritten
+                                          by values in `Y` when the key sets of `X`
+                                          and `Y` intersect. Elements in `Y` with\n
+                                          \   non-intersecting keys are appended,
+                                          retaining their partial order.\nRequired."
+                                        type: string
+                                      message:
+                                        description: |-
+                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                          line breaks. The message must not contain line breaks.
+                                          If unset, the message is "failed rule: {Rule}".
+                                          e.g. "must be a URL with the host matching spec.host"
+                                          If the Expression contains line breaks. Message is required.
+                                          The message must not contain line breaks.
+                                          If unset, the message is "failed Expression: {Expression}".
+                                        type: string
+                                      messageExpression:
+                                        description: |-
+                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                          Since messageExpression is used as a failure message, it must evaluate to a string.
+                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                          Example:
+                                          "object.x must be less than max ("+string(params.max)+")"
+                                        type: string
+                                      reason:
+                                        description: |-
+                                          Reason represents a machine-readable description of why this validation failed.
+                                          If this is the first validation in the list to fail, this reason, as well as the
+                                          corresponding HTTP response code, are used in the
+                                          HTTP response to the client.
+                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                          If not set, StatusReasonInvalid is used in the response to the client.
+                                        type: string
+                                    required:
+                                    - expression
+                                    type: object
+                                  type: array
+                                paramKind:
+                                  description: ParamKind is a tuple of Group Kind
+                                    and Version.
+                                  properties:
+                                    apiVersion:
+                                      description: |-
+                                        APIVersion is the API group version the resources belong to.
+                                        In format of "group/version".
+                                        Required.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind is the API kind the resources belong to.
+                                        Required.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                paramRef:
+                                  description: ParamRef references a parameter resource.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        `name` is the name of the resource being referenced.
+
+
+                                        `name` and `selector` are mutually exclusive properties. If one is set,
+                                        the other must be unset.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        namespace is the namespace of the referenced resource. Allows limiting
+                                        the search for params to a specific namespace. Applies to both `name` and
+                                        `selector` fields.
+
+
+                                        A per-namespace parameter may be used by specifying a namespace-scoped
+                                        `paramKind` in the policy and leaving this field empty.
+
+
+                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                        field results in a configuration error.
+
+
+                                        - If `paramKind` is namespace-scoped, the namespace of the object being
+                                        evaluated for admission will be used when this field is left unset. Take
+                                        care that if this is left empty the binding must not match any cluster-scoped
+                                        resources, which will result in an error.
+                                      type: string
+                                    parameterNotFoundAction:
+                                      description: |-
+                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                        exists, and name or selector is valid, but there are no parameters
+                                        matched by the binding. If the value is set to `Allow`, then no
+                                        matched parameters will be treated as successful validation by the binding.
+                                        If set to `Deny`, then no matched parameters will be subject to the
+                                        `failurePolicy` of the policy.
+
+
+                                        Allowed values are `Allow` or `Deny`
+                                        Default to `Deny`
+                                      type: string
+                                    selector:
+                                      description: |-
+                                        selector can be used to match multiple param objects based on their labels.
+                                        Supply selector: {} to match all resources of the ParamKind.
+
+
+                                        If multiple params are found, they are all evaluated with the policy expressions
+                                        and the results are ANDed together.
+
+
+                                        One of `name` or `selector` must be set, but `name` and `selector` are
+                                        mutually exclusive properties. If one is set, the other must be unset.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                variables:
+                                  description: |-
+                                    Variables contain definitions of variables that can be used in composition of other expressions.
+                                    Each variable is defined as a named CEL expression.
+                                    The variables defined here will be available under `variables` in other expressions of the policy.
+                                  items:
+                                    description: Variable is the definition of a variable
+                                      that is used for composition.
+                                    properties:
+                                      expression:
+                                        description: |-
+                                          Expression is the expression that will be evaluated as the value of the variable.
+                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                        type: string
+                                      name:
+                                        description: |-
+                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                          The variable can be accessed in other expressions through `variables`
+                                          For example, if name is "foo", the variable will be available as `variables.foo`
+                                        type: string
+                                    required:
+                                    - expression
+                                    - name
+                                    type: object
+                                  type: array
+                              type: object
+                            deny:
+                              description: Deny defines conditions used to pass or
+                                fail a validation rule.
+                              properties:
+                                conditions:
+                                  description: |-
+                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                    but will be deprecated in the next major release.
+                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                  x-kubernetes-preserve-unknown-fields: true
+                              type: object
+                            foreach:
+                              description: ForEach applies validate rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  anyPattern:
+                                    description: |-
+                                      AnyPattern specifies list of validation patterns. At least one of the patterns
+                                      must be satisfied for the validation rule to succeed.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  deny:
+                                    description: Deny defines conditions used to pass
+                                      or fail a validation rule.
+                                    properties:
+                                      conditions:
+                                        description: |-
+                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                          but will be deprecated in the next major release.
+                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  elementScope:
+                                    description: |-
+                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                      When set to "false", "request.object" is used as the validation scope within the foreach
+                                      block to allow referencing other elements in the subtree.
+                                    type: boolean
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  pattern:
+                                    description: Pattern specifies an overlay-style
+                                      pattern used to check resources.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            manifests:
+                              description: Manifest specifies conditions for manifest
+                                verification
+                              properties:
+                                annotationDomain:
+                                  description: AnnotationDomain is custom domain of
+                                    annotation for message and signature. Default
+                                    is "cosign.sigstore.dev".
+                                  type: string
+                                attestors:
+                                  description: Attestors specified the required attestors
+                                    (i.e. authorities)
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                dryRun:
+                                  description: DryRun configuration
+                                  properties:
+                                    enable:
+                                      type: boolean
+                                    namespace:
+                                      type: string
+                                  type: object
+                                ignoreFields:
+                                  description: Fields which will be ignored while
+                                    comparing manifests.
+                                  items:
+                                    properties:
+                                      fields:
+                                        items:
+                                          type: string
+                                        type: array
+                                      objects:
+                                        items:
+                                          properties:
+                                            group:
+                                              type: string
+                                            kind:
+                                              type: string
+                                            name:
+                                              type: string
+                                            namespace:
+                                              type: string
+                                            version:
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                repository:
+                                  description: |-
+                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                    The repository can be overridden per Attestor or Attestation.
+                                  type: string
+                              type: object
+                            message:
+                              description: Message specifies a custom message to be
+                                displayed on failure.
+                              type: string
+                            pattern:
+                              description: Pattern specifies an overlay-style pattern
+                                used to check resources.
+                              x-kubernetes-preserve-unknown-fields: true
+                            podSecurity:
+                              description: |-
+                                PodSecurity applies exemptions for Kubernetes Pod Security admission
+                                by specifying exclusions for Pod Security Standards controls.
+                              properties:
+                                exclude:
+                                  description: Exclude specifies the Pod Security
+                                    Standard controls to be excluded.
+                                  items:
+                                    description: PodSecurityStandard specifies the
+                                      Pod Security Standard controls to be excluded.
+                                    properties:
+                                      controlName:
+                                        description: |-
+                                          ControlName specifies the name of the Pod Security Standard control.
+                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                        enum:
+                                        - HostProcess
+                                        - Host Namespaces
+                                        - Privileged Containers
+                                        - Capabilities
+                                        - HostPath Volumes
+                                        - Host Ports
+                                        - AppArmor
+                                        - SELinux
+                                        - /proc Mount Type
+                                        - Seccomp
+                                        - Sysctls
+                                        - Volume Types
+                                        - Privilege Escalation
+                                        - Running as Non-root
+                                        - Running as Non-root user
+                                        type: string
+                                      images:
+                                        description: |-
+                                          Images selects matching containers and applies the container level PSS.
+                                          Each image is the image name consisting of the registry address, repository, image, and tag.
+                                          Empty list matches no containers, PSS checks are applied at the pod level only.
+                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                        items:
+                                          type: string
+                                        type: array
+                                      restrictedField:
+                                        description: |-
+                                          RestrictedField selects the field for the given Pod Security Standard control.
+                                          When not set, all restricted fields for the control are selected.
+                                        type: string
+                                      values:
+                                        description: Values defines the allowed values
+                                          that can be excluded.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - controlName
+                                    type: object
+                                  type: array
+                                level:
+                                  description: |-
+                                    Level defines the Pod Security Standard level to be applied to workloads.
+                                    Allowed values are privileged, baseline, and restricted.
+                                  enum:
+                                  - privileged
+                                  - baseline
+                                  - restricted
+                                  type: string
+                                version:
+                                  description: |-
+                                    Version defines the Pod Security Standard versions that Kubernetes supports.
+                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                                  enum:
+                                  - v1.19
+                                  - v1.20
+                                  - v1.21
+                                  - v1.22
+                                  - v1.23
+                                  - v1.24
+                                  - v1.25
+                                  - v1.26
+                                  - v1.27
+                                  - v1.28
+                                  - v1.29
+                                  - latest
+                                  type: string
+                              type: object
+                            validationFailureAction:
+                              description: |-
+                                ValidationFailureAction defines if a validation policy rule violation should block
+                                the admission review request (Enforce), or allow (Audit) the admission review request
+                                and report an error in a policy report. Optional.
+                                Allowed values are Audit or Enforce.
+                              enum:
+                              - Audit
+                              - Enforce
+                              type: string
+                            validationFailureActionOverrides:
+                              description: |-
+                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                              items:
+                                properties:
+                                  action:
+                                    description: ValidationFailureAction defines the
+                                      policy validation failure action
+                                    enum:
+                                    - audit
+                                    - enforce
+                                    - Audit
+                                    - Enforce
+                                    type: string
+                                  namespaceSelector:
+                                    description: |-
+                                      A label selector is a label query over a set of resources. The result of matchLabels and
+                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                      label selector matches no objects.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              type: array
+                          type: object
+                        verifyImages:
+                          description: VerifyImages is used to verify image signatures
+                            and mutate them to add a digest
+                          items:
+                            description: |-
+                              ImageVerification validates that images that match the specified pattern
+                              are signed with the supplied public key. Once the image is verified it is
+                              mutated to include the SHA digest retrieved during the registration.
+                            properties:
+                              additionalExtensions:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated.
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated. Use annotations per Attestor
+                                  instead.
+                                type: object
+                              attestations:
+                                description: |-
+                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
+                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                  OCI registry and decodes them into a list of Statement declarations.
+                                items:
+                                  description: |-
+                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                    OCI registry and decodes them into a list of Statements.
+                                  properties:
+                                    attestors:
+                                      description: Attestors specify the required
+                                        attestors (i.e. authorities).
+                                      items:
+                                        properties:
+                                          count:
+                                            description: |-
+                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                            minimum: 1
+                                            type: integer
+                                          entries:
+                                            description: |-
+                                              Entries contains the available attestors. An attestor can be a static key,
+                                              attributes for keyless verification, or a nested attestor declaration.
+                                            items:
+                                              properties:
+                                                annotations:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    Annotations are used for image verification.
+                                                    Every specified key-value pair must exist and match in the verified payload.
+                                                    The payload may contain other key-value pairs.
+                                                  type: object
+                                                attestor:
+                                                  description: Attestor is a nested
+                                                    set of Attestor used to specify
+                                                    a more complex set of match authorities.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                certificates:
+                                                  description: Certificates specifies
+                                                    one or more certificates.
+                                                  properties:
+                                                    cert:
+                                                      description: Cert is an optional
+                                                        PEM-encoded public certificate.
+                                                      type: string
+                                                    certChain:
+                                                      description: CertChain is an
+                                                        optional PEM encoded set of
+                                                        certificates used to verify.
+                                                      type: string
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                  type: object
+                                                keyless:
+                                                  description: |-
+                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                                  properties:
+                                                    additionalExtensions:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: AdditionalExtensions
+                                                        are certificate-extensions
+                                                        used for keyless signing.
+                                                      type: object
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    issuer:
+                                                      description: Issuer is the certificate
+                                                        issuer used for keyless signing.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    roots:
+                                                      description: |-
+                                                        Roots is an optional set of PEM encoded trusted root certificates.
+                                                        If not provided, the system roots are used.
+                                                      type: string
+                                                    subject:
+                                                      description: Subject is the
+                                                        verified identity used for
+                                                        keyless signing, for example
+                                                        the email address.
+                                                      type: string
+                                                  type: object
+                                                keys:
+                                                  description: Keys specifies one
+                                                    or more public keys.
+                                                  properties:
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    kms:
+                                                      description: |-
+                                                        KMS provides the URI to the public key stored in a Key Management System. See:
+                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                      type: string
+                                                    publicKeys:
+                                                      description: |-
+                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                        elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                        When multiple keys are specified each key is processed as a separate staticKey entry
+                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    secret:
+                                                      description: Reference to a
+                                                        Secret resource that contains
+                                                        a public key
+                                                      properties:
+                                                        name:
+                                                          description: Name of the
+                                                            secret. The provided secret
+                                                            must contain a key named
+                                                            cosign.pub.
+                                                          type: string
+                                                        namespace:
+                                                          description: Namespace name
+                                                            where the Secret exists.
+                                                          type: string
+                                                      required:
+                                                      - name
+                                                      - namespace
+                                                      type: object
+                                                    signatureAlgorithm:
+                                                      default: sha256
+                                                      description: Specify signature
+                                                        algorithm for public keys.
+                                                        Supported values are sha224,
+                                                        sha256, sha384 and sha512.
+                                                      type: string
+                                                  type: object
+                                                repository:
+                                                  description: |-
+                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                    If specified Repository will override other OCI image repository locations for this Attestor.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    conditions:
+                                      description: |-
+                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                        the attestation check is satisfied as long there are predicates that match the predicate type.
+                                      items:
+                                        description: |-
+                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                          AllConditions get fulfilled only when all of its sub-conditions pass.
+                                        properties:
+                                          all:
+                                            description: |-
+                                              AllConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, all of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                          any:
+                                            description: |-
+                                              AnyConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, at least one of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    predicateType:
+                                      description: Deprecated in favour of 'Type',
+                                        to be removed soon
+                                      type: string
+                                    type:
+                                      description: Type defines the type of attestation
+                                        contained within the Statement.
+                                      type: string
+                                  type: object
+                                type: array
+                              attestors:
+                                description: Attestors specified the required attestors
+                                  (i.e. authorities)
+                                items:
+                                  properties:
+                                    count:
+                                      description: |-
+                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                      minimum: 1
+                                      type: integer
+                                    entries:
+                                      description: |-
+                                        Entries contains the available attestors. An attestor can be a static key,
+                                        attributes for keyless verification, or a nested attestor declaration.
+                                      items:
+                                        properties:
+                                          annotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              Annotations are used for image verification.
+                                              Every specified key-value pair must exist and match in the verified payload.
+                                              The payload may contain other key-value pairs.
+                                            type: object
+                                          attestor:
+                                            description: Attestor is a nested set
+                                              of Attestor used to specify a more complex
+                                              set of match authorities.
+                                            x-kubernetes-preserve-unknown-fields: true
+                                          certificates:
+                                            description: Certificates specifies one
+                                              or more certificates.
+                                            properties:
+                                              cert:
+                                                description: Cert is an optional PEM-encoded
+                                                  public certificate.
+                                                type: string
+                                              certChain:
+                                                description: CertChain is an optional
+                                                  PEM encoded set of certificates
+                                                  used to verify.
+                                                type: string
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                            type: object
+                                          keyless:
+                                            description: |-
+                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                            properties:
+                                              additionalExtensions:
+                                                additionalProperties:
+                                                  type: string
+                                                description: AdditionalExtensions
+                                                  are certificate-extensions used
+                                                  for keyless signing.
+                                                type: object
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              issuer:
+                                                description: Issuer is the certificate
+                                                  issuer used for keyless signing.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              roots:
+                                                description: |-
+                                                  Roots is an optional set of PEM encoded trusted root certificates.
+                                                  If not provided, the system roots are used.
+                                                type: string
+                                              subject:
+                                                description: Subject is the verified
+                                                  identity used for keyless signing,
+                                                  for example the email address.
+                                                type: string
+                                            type: object
+                                          keys:
+                                            description: Keys specifies one or more
+                                              public keys.
+                                            properties:
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              kms:
+                                                description: |-
+                                                  KMS provides the URI to the public key stored in a Key Management System. See:
+                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                type: string
+                                              publicKeys:
+                                                description: |-
+                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                  elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                  When multiple keys are specified each key is processed as a separate staticKey entry
+                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              secret:
+                                                description: Reference to a Secret
+                                                  resource that contains a public
+                                                  key
+                                                properties:
+                                                  name:
+                                                    description: Name of the secret.
+                                                      The provided secret must contain
+                                                      a key named cosign.pub.
+                                                    type: string
+                                                  namespace:
+                                                    description: Namespace name where
+                                                      the Secret exists.
+                                                    type: string
+                                                required:
+                                                - name
+                                                - namespace
+                                                type: object
+                                              signatureAlgorithm:
+                                                default: sha256
+                                                description: Specify signature algorithm
+                                                  for public keys. Supported values
+                                                  are sha224, sha256, sha384 and sha512.
+                                                type: string
+                                            type: object
+                                          repository:
+                                            description: |-
+                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                              If specified Repository will override other OCI image repository locations for this Attestor.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              cosignOCI11:
+                                description: |-
+                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+                                  Defaults to false.
+                                type: boolean
+                              image:
+                                description: Deprecated. Use ImageReferences instead.
+                                type: string
+                              imageReferences:
+                                description: |-
+                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                                  list must match the image for the rule to apply. Each image reference consists of a registry
+                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry.
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              issuer:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              key:
+                                description: Deprecated. Use StaticKeyAttestor instead.
+                                type: string
+                              mutateDigest:
+                                default: true
+                                description: |-
+                                  MutateDigest enables replacement of image tags with digests.
+                                  Defaults to true.
+                                type: boolean
+                              repository:
+                                description: |-
+                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                                  If specified Repository will override the default OCI image repository configured for the installation.
+                                  The repository can also be overridden per Attestor or Attestation.
+                                type: string
+                              required:
+                                default: true
+                                description: Required validates that images are verified
+                                  i.e. have matched passed a signature or attestation
+                                  check.
+                                type: boolean
+                              roots:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              skipImageReferences:
+                                description: |-
+                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              subject:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              type:
+                                description: |-
+                                  Type specifies the method of signature validation. The allowed options
+                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
+                              useCache:
+                                default: true
+                                description: UseCache enables caching of image verify
+                                  responses for this rule.
+                                type: boolean
+                              validationFailureAction:
+                                description: Allowed values are Audit or Enforce.
+                                enum:
+                                - Audit
+                                - Enforce
+                                type: string
+                              verifyDigest:
+                                default: true
+                                description: VerifyDigest validates that images have
+                                  a digest.
+                                type: boolean
+                            type: object
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              ready:
+                description: Deprecated in favor of Conditions
+                type: boolean
+              rulecount:
+                description: |-
+                  RuleCountStatus contains four variables which describes counts for
+                  validate, generate, mutate and verify images rules
+                properties:
+                  generate:
+                    description: Count for generate rules in policy
+                    type: integer
+                  mutate:
+                    description: Count for mutate rules in policy
+                    type: integer
+                  validate:
+                    description: Count for validate rules in policy
+                    type: integer
+                  verifyimages:
+                    description: Count for verify image rules in policy
+                    type: integer
+                required:
+                - generate
+                - mutate
+                - validate
+                - verifyimages
+                type: object
+              validatingadmissionpolicy:
+                description: ValidatingAdmissionPolicy contains status information
+                properties:
+                  generated:
+                    description: Generated indicates whether a validating admission
+                      policy is generated from the policy or not
+                    type: boolean
+                  message:
+                    description: |-
+                      Message is a human readable message indicating details about the generation of validating admission policy
+                      It is an empty string when validating admission policy is successfully generated.
+                    type: string
+                required:
+                - generated
+                - message
+                type: object
+            required:
+            - ready
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.admission
+      name: ADMISSION
+      type: boolean
+    - jsonPath: .spec.background
+      name: BACKGROUND
+      type: boolean
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
+      name: READY
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - jsonPath: .spec.failurePolicy
+      name: FAILURE POLICY
+      priority: 1
+      type: string
+    - jsonPath: .status.rulecount.validate
+      name: VALIDATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.mutate
+      name: MUTATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.generate
+      name: GENERATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.verifyimages
+      name: VERIFY IMAGES
+      priority: 1
+      type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
+    name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: ClusterPolicy declares validation, mutation, and generation behaviors
+          for matching resources.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy behaviors.
+            properties:
+              admission:
+                default: true
+                description: |-
+                  Admission controls if rules are applied during admission.
+                  Optional. Default value is "true".
+                type: boolean
+              applyRules:
+                description: |-
+                  ApplyRules controls how rules in a policy are applied. Rule are processed in
+                  the order of declaration. When set to `One` processing stops after a rule has
+                  been applied i.e. the rule matches and results in a pass, fail, or error. When
+                  set to `All` all rules in the policy are processed. The default is `All`.
+                enum:
+                - All
+                - One
+                type: string
+              background:
+                default: true
+                description: |-
+                  Background controls if rules are applied to existing resources during a background scan.
+                  Optional. Default value is "true". The value must be set to "false" if the policy rule
+                  uses variables that are only available in the admission review request (e.g. user name).
+                type: boolean
+              failurePolicy:
+                description: Deprecated, use failurePolicy under the webhookConfiguration
+                  instead.
+                enum:
+                - Ignore
+                - Fail
+                type: string
+              generateExisting:
+                description: Deprecated, use generateExisting under the generate rule
+                  instead
+                type: boolean
+              generateExistingOnPolicyUpdate:
+                description: Deprecated, use generateExisting instead
+                type: boolean
+              mutateExistingOnPolicyUpdate:
+                description: Deprecated, use mutateExistingOnPolicyUpdate under the
+                  mutate rule instead
+                type: boolean
+              rules:
+                description: |-
+                  Rules is a list of Rule instances. A Policy contains multiple rules and
+                  each rule can validate, mutate, or generate resources.
+                items:
+                  description: |-
+                    Rule defines a validation, mutation, or generation control for matching resources.
+                    Each rules contains a match declaration to select resources, and an optional exclude
+                    declaration to specify which resources to exclude.
+                  properties:
+                    celPreconditions:
+                      description: |-
+                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of CEL conditions. It can only be used with the validate.cel subrule
+                      items:
+                        description: MatchCondition represents a condition which must
+                          by fulfilled for a request to be sent to a webhook.
+                        properties:
+                          expression:
+                            description: |-
+                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                              'object' - The object from the incoming request. The value is null for DELETE requests.
+                              'oldObject' - The existing object. The value is null for CREATE requests.
+                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                request resource.
+                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                              Required.
+                            type: string
+                          name:
+                            description: |-
+                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                              as well as providing an identifier for logging purposes. A good name should be descriptive of
+                              the associated expression.
+                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                              Required.
+                            type: string
+                        required:
+                        - expression
+                        - name
+                        type: object
+                      type: array
+                    context:
+                      description: Context defines variables and data sources that
+                        can be used during rule execution.
+                      items:
+                        description: |-
+                          ContextEntry adds variables and data sources to a rule Context. Either a
+                          ConfigMap reference or a APILookup must be provided.
+                        properties:
+                          apiCall:
+                            description: |-
+                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                              The data returned is stored in the context with the name for the context entry.
+                            properties:
+                              data:
+                                description: |-
+                                  The data object specifies the POST data sent to the server.
+                                  Only applicable when the method field is set to POST.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST). Defaults to GET.
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: |-
+                                  Service is an API call to a JSON web service.
+                                  This is used for non-Kubernetes API server calls.
+                                  It's mutually exclusive with the URLPath field.
+                                properties:
+                                  caBundle:
+                                    description: |-
+                                      CABundle is a PEM encoded CA bundle which will be used to validate
+                                      the server certificate.
+                                    type: string
+                                  url:
+                                    description: |-
+                                      URL is the JSON web service URL. A typical form is
+                                      `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
+                              urlPath:
+                                description: |-
+                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  The format required is the same format used by the `kubectl get --raw` command.
+                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
+                                  It's mutually exclusive with the Service field.
+                                type: string
+                            type: object
+                          configMap:
+                            description: ConfigMap is the ConfigMap reference.
+                            properties:
+                              name:
+                                description: Name is the ConfigMap name.
+                                type: string
+                              namespace:
+                                description: Namespace is the ConfigMap namespace.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          globalReference:
+                            description: GlobalContextEntryReference is a reference
+                              to a cached global context entry.
+                            properties:
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              name:
+                                description: Name of the global context entry
+                                type: string
+                            type: object
+                          imageRegistry:
+                            description: |-
+                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                              details.
+                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the ImageData struct returned as a result of processing
+                                  the image reference.
+                                type: string
+                              reference:
+                                description: |-
+                                  Reference is image reference to a container image in the registry.
+                                  Example: ghcr.io/kyverno/kyverno:latest
+                                type: string
+                            required:
+                            - reference
+                            type: object
+                          name:
+                            description: Name is the variable name.
+                            type: string
+                          variable:
+                            description: Variable defines an arbitrary JMESPath context
+                              variable that can be defined inline.
+                            properties:
+                              default:
+                                description: |-
+                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                  expression evaluates to nil
+                                x-kubernetes-preserve-unknown-fields: true
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JMESPath Expression that can be used to
+                                  transform the variable.
+                                type: string
+                              value:
+                                description: Value is any arbitrary JSON object representable
+                                  in YAML or JSON form.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                        type: object
+                      type: array
+                    exclude:
+                      description: |-
+                        ExcludeResources defines when this policy rule should not be applied. The exclude
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the name or role.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    generate:
+                      description: Generation is used to create new resources.
+                      properties:
+                        apiVersion:
+                          description: APIVersion specifies resource apiVersion.
+                          type: string
+                        clone:
+                          description: |-
+                            Clone specifies the source resource used to populate each generated resource.
+                            At most one of Data or Clone can be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          properties:
+                            name:
+                              description: Name specifies name of the resource.
+                              type: string
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                          type: object
+                        cloneList:
+                          description: CloneList specifies the list of source resource
+                            used to populate each generated resource.
+                          properties:
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels`.
+                                wildcard characters are not supported.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        data:
+                          description: |-
+                            Data provides the resource declaration used to populate each generated resource.
+                            At most one of Data or Clone must be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          x-kubernetes-preserve-unknown-fields: true
+                        generateExisting:
+                          description: |-
+                            GenerateExisting controls whether to trigger the rule in existing resources
+                            If is set to "true" the rule will be triggered and applied to existing matched resources.
+                          type: boolean
+                        kind:
+                          description: Kind specifies resource kind.
+                          type: string
+                        name:
+                          description: Name specifies the resource name.
+                          type: string
+                        namespace:
+                          description: Namespace specifies resource namespace.
+                          type: string
+                        orphanDownstreamOnPolicyDelete:
+                          description: |-
+                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                            Defaults to "false" if not specified.
+                          type: boolean
+                        synchronize:
+                          description: |-
+                            Synchronize controls if generated resources should be kept in-sync with their source resource.
+                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                            data from Data or the resource specified in the Clone declaration.
+                            Optional. Defaults to "false" if not specified.
+                          type: boolean
+                        uid:
+                          description: UID specifies the resource uid.
+                          type: string
+                      type: object
+                    imageExtractors:
+                      additionalProperties:
+                        items:
+                          properties:
+                            jmesPath:
+                              description: |-
+                                JMESPath is an optional JMESPath expression to apply to the image value.
+                                This is useful when the extracted image begins with a prefix like 'docker://'.
+                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                              type: string
+                            key:
+                              description: |-
+                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                Note - this field MUST be unique.
+                              type: string
+                            name:
+                              description: |-
+                                Name is the entry the image will be available under 'images.' in the context.
+                                If this field is not defined, image entries will appear under 'images.custom'.
+                              type: string
+                            path:
+                              description: |-
+                                Path is the path to the object containing the image field in a custom resource.
+                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                Wildcard keys are expanded in case of arrays or objects.
+                              type: string
+                            value:
+                              description: |-
+                                Value is an optional name of the field within 'path' that points to the image URI.
+                                This is useful when a custom 'key' is also defined.
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      description: |-
+                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                        This config is only valid for verifyImages rules.
+                      type: object
+                    match:
+                      description: |-
+                        MatchResources defines when this policy rule should be applied. The match
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the user name or role.
+                        At least one kind is required.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    mutate:
+                      description: Mutation is used to modify matching resources.
+                      properties:
+                        foreach:
+                          description: ForEach applies mutation rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
+                              logic.
+                            properties:
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              order:
+                                description: |-
+                                  Order defines the iteration order on the list.
+                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
+                              patchStrategicMerge:
+                                description: |-
+                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                x-kubernetes-preserve-unknown-fields: true
+                              patchesJson6902:
+                                description: |-
+                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        mutateExistingOnPolicyUpdate:
+                          description: MutateExistingOnPolicyUpdate controls if the
+                            mutateExisting rule will be applied on policy events.
+                          type: boolean
+                        patchStrategicMerge:
+                          description: |-
+                            PatchStrategicMerge is a strategic merge patch used to modify resources.
+                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                          x-kubernetes-preserve-unknown-fields: true
+                        patchesJson6902:
+                          description: |-
+                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                          type: string
+                        targets:
+                          description: Targets defines the target resources to be
+                            mutated.
+                          items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
+                            properties:
+                              apiVersion:
+                                description: APIVersion specifies resource apiVersion.
+                                type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              kind:
+                                description: Kind specifies resource kind.
+                                type: string
+                              name:
+                                description: Name specifies the resource name.
+                                type: string
+                              namespace:
+                                description: Namespace specifies resource namespace.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                  will be deprecated in the next major release.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                x-kubernetes-preserve-unknown-fields: true
+                              uid:
+                                description: UID specifies the resource uid.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    name:
+                      description: Name is a label to identify the rule, It must be
+                        unique within the policy.
+                      maxLength: 63
+                      type: string
+                    preconditions:
+                      description: |-
+                        Preconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of conditions. The declaration can contain nested `any` or `all` statements.
+                        See: https://kyverno.io/docs/writing-policies/preconditions/
+                      properties:
+                        all:
+                          description: |-
+                            AllConditions enable variable-based conditional rule execution. This is useful for
+                            finer control of when an rule is applied. A condition can reference object data
+                            using JMESPath notation.
+                            Here, all of the conditions need to pass.
+                          items:
+                            properties:
+                              key:
+                                description: Key is the context entry (using JMESPath)
+                                  for conditional rule evaluation.
+                                x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
+                              operator:
+                                description: |-
+                                  Operator is the conditional operation to perform. Valid operators are:
+                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                  DurationLessThanOrEquals, DurationLessThan
+                                enum:
+                                - Equals
+                                - NotEquals
+                                - AnyIn
+                                - AllIn
+                                - AnyNotIn
+                                - AllNotIn
+                                - GreaterThanOrEquals
+                                - GreaterThan
+                                - LessThanOrEquals
+                                - LessThan
+                                - DurationGreaterThanOrEquals
+                                - DurationGreaterThan
+                                - DurationLessThanOrEquals
+                                - DurationLessThan
+                                type: string
+                              value:
+                                description: |-
+                                  Value is the conditional value, or set of values. The values can be fixed set
+                                  or can be variables declared using JMESPath.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        any:
+                          description: |-
+                            AnyConditions enable variable-based conditional rule execution. This is useful for
+                            finer control of when an rule is applied. A condition can reference object data
+                            using JMESPath notation.
+                            Here, at least one of the conditions need to pass.
+                          items:
+                            properties:
+                              key:
+                                description: Key is the context entry (using JMESPath)
+                                  for conditional rule evaluation.
+                                x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
+                              operator:
+                                description: |-
+                                  Operator is the conditional operation to perform. Valid operators are:
+                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                  DurationLessThanOrEquals, DurationLessThan
+                                enum:
+                                - Equals
+                                - NotEquals
+                                - AnyIn
+                                - AllIn
+                                - AnyNotIn
+                                - AllNotIn
+                                - GreaterThanOrEquals
+                                - GreaterThan
+                                - LessThanOrEquals
+                                - LessThan
+                                - DurationGreaterThanOrEquals
+                                - DurationGreaterThan
+                                - DurationLessThanOrEquals
+                                - DurationLessThan
+                                type: string
+                              value:
+                                description: |-
+                                  Value is the conditional value, or set of values. The values can be fixed set
+                                  or can be variables declared using JMESPath.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                      type: object
+                    skipBackgroundRequests:
+                      default: true
+                      description: |-
+                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                        The default value is set to "true", it must be set to "false" to apply
+                        generate and mutateExisting rules to those requests.
+                      type: boolean
+                    validate:
+                      description: Validation is used to validate matching resources.
+                      properties:
+                        anyPattern:
+                          description: |-
+                            AnyPattern specifies list of validation patterns. At least one of the patterns
+                            must be satisfied for the validation rule to succeed.
+                          x-kubernetes-preserve-unknown-fields: true
+                        assert:
+                          description: Assert defines a kyverno-json assertion tree.
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        cel:
+                          description: CEL allows validation checks using the Common
+                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                          properties:
+                            auditAnnotations:
+                              description: AuditAnnotations contains CEL expressions
+                                which are used to produce audit annotations for the
+                                audit event of the API request.
+                              items:
+                                description: AuditAnnotation describes how to produce
+                                  an audit annotation for an API request.
+                                properties:
+                                  key:
+                                    description: |-
+                                      key specifies the audit annotation key. The audit annotation keys of
+                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                      The key is combined with the resource name of the
+                                      ValidatingAdmissionPolicy to construct an audit annotation key:
+                                      "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                      and the same audit annotation key, the annotation key will be identical.
+                                      In this case, the first annotation written with the key will be included
+                                      in the audit event and all subsequent annotations with the same key
+                                      will be discarded.
+
+
+                                      Required.
+                                    type: string
+                                  valueExpression:
+                                    description: |-
+                                      valueExpression represents the expression which is evaluated by CEL to
+                                      produce an audit annotation value. The expression must evaluate to either
+                                      a string or null value. If the expression evaluates to a string, the
+                                      audit annotation is included with the string value. If the expression
+                                      evaluates to null or empty string the audit annotation will be omitted.
+                                      The valueExpression may be no longer than 5kb in length.
+                                      If the result of the valueExpression is more than 10kb in length, it
+                                      will be truncated to 10kb.
+
+
+                                      If multiple ValidatingAdmissionPolicyBinding resources match an
+                                      API request, then the valueExpression will be evaluated for
+                                      each binding. All unique values produced by the valueExpressions
+                                      will be joined together in a comma-separated list.
+
+
+                                      Required.
+                                    type: string
+                                required:
+                                - key
+                                - valueExpression
+                                type: object
+                              type: array
+                            expressions:
+                              description: Expressions is a list of CELExpression
+                                types.
+                              items:
+                                description: Validation specifies the CEL expression
+                                  which is used to apply the validation.
+                                properties:
+                                  expression:
+                                    description: "Expression represents the expression
+                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                      expressions have access to the contents of the
+                                      API request/response, organized into CEL variables
+                                      as well as some other useful variables:\n\n\n-
+                                      'object' - The object from the incoming request.
+                                      The value is null for DELETE requests.\n- 'oldObject'
+                                      - The existing object. The value is null for
+                                      CREATE requests.\n- 'request' - Attributes of
+                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                      'params' - Parameter resource referred to by
+                                      the policy binding being evaluated. Only populated
+                                      if the policy has a ParamKind.\n- 'namespaceObject'
+                                      - The namespace object that the incoming object
+                                      belongs to. The value is null for cluster-scoped
+                                      resources.\n- 'variables' - Map of composited
+                                      variables, from its name to its lazily evaluated
+                                      value.\n  For example, a variable named 'foo'
+                                      can be accessed as 'variables.foo'.\n- 'authorizer'
+                                      - A CEL Authorizer. May be used to perform authorization
+                                      checks for the principal (user or service account)
+                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                      'authorizer.requestResource' - A CEL ResourceCheck
+                                      constructed from the 'authorizer' and configured
+                                      with the\n  request resource.\n\n\nThe `apiVersion`,
+                                      `kind`, `metadata.name` and `metadata.generateName`
+                                      are always accessible from the root of the\nobject.
+                                      No other metadata properties are accessible.\n\n\nOnly
+                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                      are accessible.\nAccessible property names are
+                                      escaped according to the following rules when
+                                      accessed in the expression:\n- '__' escapes
+                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
+                                      '-' escapes to '__dash__'\n- '/' escapes to
+                                      '__slash__'\n- Property names that exactly match
+                                      a CEL RESERVED keyword escape to '__{keyword}__'.
+                                      The keywords are:\n\t  \"true\", \"false\",
+                                      \"null\", \"in\", \"as\", \"break\", \"const\",
+                                      \"continue\", \"else\", \"for\", \"function\",
+                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
+                                      \"package\", \"namespace\", \"return\".\nExamples:\n
+                                      \ - Expression accessing a property named \"namespace\":
+                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
+                                      \ - Expression accessing a property named \"x-prop\":
+                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
+                                      \ - Expression accessing a property named \"redact__d\":
+                                      {\"Expression\": \"object.redact__underscores__d
+                                      > 0\"}\n\n\nEquality on arrays with list type
+                                      of 'set' or 'map' ignores element order, i.e.
+                                      [1, 2] == [2, 1].\nConcatenation on arrays with
+                                      x-kubernetes-list-type use the semantics of
+                                      the list type:\n  - 'set': `X + Y` performs
+                                      a union where the array positions of all elements
+                                      in `X` are preserved and\n    non-intersecting
+                                      elements in `Y` are appended, retaining their
+                                      partial order.\n  - 'map': `X + Y` performs
+                                      a merge where the array positions of all keys
+                                      in `X` are preserved but the values\n    are
+                                      overwritten by values in `Y` when the key sets
+                                      of `X` and `Y` intersect. Elements in `Y` with\n
+                                      \   non-intersecting keys are appended, retaining
+                                      their partial order.\nRequired."
+                                    type: string
+                                  message:
+                                    description: |-
+                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                      line breaks. The message must not contain line breaks.
+                                      If unset, the message is "failed rule: {Rule}".
+                                      e.g. "must be a URL with the host matching spec.host"
+                                      If the Expression contains line breaks. Message is required.
+                                      The message must not contain line breaks.
+                                      If unset, the message is "failed Expression: {Expression}".
+                                    type: string
+                                  messageExpression:
+                                    description: |-
+                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                      Since messageExpression is used as a failure message, it must evaluate to a string.
+                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                      Example:
+                                      "object.x must be less than max ("+string(params.max)+")"
+                                    type: string
+                                  reason:
+                                    description: |-
+                                      Reason represents a machine-readable description of why this validation failed.
+                                      If this is the first validation in the list to fail, this reason, as well as the
+                                      corresponding HTTP response code, are used in the
+                                      HTTP response to the client.
+                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                      If not set, StatusReasonInvalid is used in the response to the client.
+                                    type: string
+                                required:
+                                - expression
+                                type: object
+                              type: array
+                            paramKind:
+                              description: ParamKind is a tuple of Group Kind and
+                                Version.
+                              properties:
+                                apiVersion:
+                                  description: |-
+                                    APIVersion is the API group version the resources belong to.
+                                    In format of "group/version".
+                                    Required.
+                                  type: string
+                                kind:
+                                  description: |-
+                                    Kind is the API kind the resources belong to.
+                                    Required.
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            paramRef:
+                              description: ParamRef references a parameter resource.
+                              properties:
+                                name:
+                                  description: |-
+                                    `name` is the name of the resource being referenced.
+
+
+                                    `name` and `selector` are mutually exclusive properties. If one is set,
+                                    the other must be unset.
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    namespace is the namespace of the referenced resource. Allows limiting
+                                    the search for params to a specific namespace. Applies to both `name` and
+                                    `selector` fields.
+
+
+                                    A per-namespace parameter may be used by specifying a namespace-scoped
+                                    `paramKind` in the policy and leaving this field empty.
+
+
+                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                    field results in a configuration error.
+
+
+                                    - If `paramKind` is namespace-scoped, the namespace of the object being
+                                    evaluated for admission will be used when this field is left unset. Take
+                                    care that if this is left empty the binding must not match any cluster-scoped
+                                    resources, which will result in an error.
+                                  type: string
+                                parameterNotFoundAction:
+                                  description: |-
+                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                    exists, and name or selector is valid, but there are no parameters
+                                    matched by the binding. If the value is set to `Allow`, then no
+                                    matched parameters will be treated as successful validation by the binding.
+                                    If set to `Deny`, then no matched parameters will be subject to the
+                                    `failurePolicy` of the policy.
+
+
+                                    Allowed values are `Allow` or `Deny`
+                                    Default to `Deny`
+                                  type: string
+                                selector:
+                                  description: |-
+                                    selector can be used to match multiple param objects based on their labels.
+                                    Supply selector: {} to match all resources of the ParamKind.
+
+
+                                    If multiple params are found, they are all evaluated with the policy expressions
+                                    and the results are ANDed together.
+
+
+                                    One of `name` or `selector` must be set, but `name` and `selector` are
+                                    mutually exclusive properties. If one is set, the other must be unset.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            variables:
+                              description: |-
+                                Variables contain definitions of variables that can be used in composition of other expressions.
+                                Each variable is defined as a named CEL expression.
+                                The variables defined here will be available under `variables` in other expressions of the policy.
+                              items:
+                                description: Variable is the definition of a variable
+                                  that is used for composition.
+                                properties:
+                                  expression:
+                                    description: |-
+                                      Expression is the expression that will be evaluated as the value of the variable.
+                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                      The variable can be accessed in other expressions through `variables`
+                                      For example, if name is "foo", the variable will be available as `variables.foo`
+                                    type: string
+                                required:
+                                - expression
+                                - name
+                                type: object
+                              type: array
+                          type: object
+                        deny:
+                          description: Deny defines conditions used to pass or fail
+                            a validation rule.
+                          properties:
+                            conditions:
+                              description: |-
+                                Multiple conditions can be declared under an `any` or `all` statement.
+                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                              properties:
+                                all:
+                                  description: |-
+                                    AllConditions enable variable-based conditional rule execution. This is useful for
+                                    finer control of when an rule is applied. A condition can reference object data
+                                    using JMESPath notation.
+                                    Here, all of the conditions need to pass.
+                                  items:
+                                    properties:
+                                      key:
+                                        description: Key is the context entry (using
+                                          JMESPath) for conditional rule evaluation.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          Operator is the conditional operation to perform. Valid operators are:
+                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                          DurationLessThanOrEquals, DurationLessThan
+                                        enum:
+                                        - Equals
+                                        - NotEquals
+                                        - AnyIn
+                                        - AllIn
+                                        - AnyNotIn
+                                        - AllNotIn
+                                        - GreaterThanOrEquals
+                                        - GreaterThan
+                                        - LessThanOrEquals
+                                        - LessThan
+                                        - DurationGreaterThanOrEquals
+                                        - DurationGreaterThan
+                                        - DurationLessThanOrEquals
+                                        - DurationLessThan
+                                        type: string
+                                      value:
+                                        description: |-
+                                          Value is the conditional value, or set of values. The values can be fixed set
+                                          or can be variables declared using JMESPath.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  type: array
+                                any:
+                                  description: |-
+                                    AnyConditions enable variable-based conditional rule execution. This is useful for
+                                    finer control of when an rule is applied. A condition can reference object data
+                                    using JMESPath notation.
+                                    Here, at least one of the conditions need to pass.
+                                  items:
+                                    properties:
+                                      key:
+                                        description: Key is the context entry (using
+                                          JMESPath) for conditional rule evaluation.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          Operator is the conditional operation to perform. Valid operators are:
+                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                          DurationLessThanOrEquals, DurationLessThan
+                                        enum:
+                                        - Equals
+                                        - NotEquals
+                                        - AnyIn
+                                        - AllIn
+                                        - AnyNotIn
+                                        - AllNotIn
+                                        - GreaterThanOrEquals
+                                        - GreaterThan
+                                        - LessThanOrEquals
+                                        - LessThan
+                                        - DurationGreaterThanOrEquals
+                                        - DurationGreaterThan
+                                        - DurationLessThanOrEquals
+                                        - DurationLessThan
+                                        type: string
+                                      value:
+                                        description: |-
+                                          Value is the conditional value, or set of values. The values can be fixed set
+                                          or can be variables declared using JMESPath.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  type: array
+                              type: object
+                          type: object
+                        foreach:
+                          description: ForEach applies validate rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
+                            properties:
+                              anyPattern:
+                                description: |-
+                                  AnyPattern specifies list of validation patterns. At least one of the patterns
+                                  must be satisfied for the validation rule to succeed.
+                                x-kubernetes-preserve-unknown-fields: true
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              deny:
+                                description: Deny defines conditions used to pass
+                                  or fail a validation rule.
+                                properties:
+                                  conditions:
+                                    description: |-
+                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                      but will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              elementScope:
+                                description: |-
+                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                  When set to "false", "request.object" is used as the validation scope within the foreach
+                                  block to allow referencing other elements in the subtree.
+                                type: boolean
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              pattern:
+                                description: Pattern specifies an overlay-style pattern
+                                  used to check resources.
+                                x-kubernetes-preserve-unknown-fields: true
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        manifests:
+                          description: Manifest specifies conditions for manifest
+                            verification
+                          properties:
+                            annotationDomain:
+                              description: AnnotationDomain is custom domain of annotation
+                                for message and signature. Default is "cosign.sigstore.dev".
+                              type: string
+                            attestors:
+                              description: Attestors specified the required attestors
+                                (i.e. authorities)
+                              items:
+                                properties:
+                                  count:
+                                    description: |-
+                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                    minimum: 1
+                                    type: integer
+                                  entries:
+                                    description: |-
+                                      Entries contains the available attestors. An attestor can be a static key,
+                                      attributes for keyless verification, or a nested attestor declaration.
+                                    items:
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            Annotations are used for image verification.
+                                            Every specified key-value pair must exist and match in the verified payload.
+                                            The payload may contain other key-value pairs.
+                                          type: object
+                                        attestor:
+                                          description: Attestor is a nested set of
+                                            Attestor used to specify a more complex
+                                            set of match authorities.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        certificates:
+                                          description: Certificates specifies one
+                                            or more certificates.
+                                          properties:
+                                            cert:
+                                              description: Cert is an optional PEM-encoded
+                                                public certificate.
+                                              type: string
+                                            certChain:
+                                              description: CertChain is an optional
+                                                PEM encoded set of certificates used
+                                                to verify.
+                                              type: string
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                          type: object
+                                        keyless:
+                                          description: |-
+                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                          properties:
+                                            additionalExtensions:
+                                              additionalProperties:
+                                                type: string
+                                              description: AdditionalExtensions are
+                                                certificate-extensions used for keyless
+                                                signing.
+                                              type: object
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            issuer:
+                                              description: Issuer is the certificate
+                                                issuer used for keyless signing.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            roots:
+                                              description: |-
+                                                Roots is an optional set of PEM encoded trusted root certificates.
+                                                If not provided, the system roots are used.
+                                              type: string
+                                            subject:
+                                              description: Subject is the verified
+                                                identity used for keyless signing,
+                                                for example the email address.
+                                              type: string
+                                          type: object
+                                        keys:
+                                          description: Keys specifies one or more
+                                            public keys.
+                                          properties:
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            kms:
+                                              description: |-
+                                                KMS provides the URI to the public key stored in a Key Management System. See:
+                                                https://github.com/sigstore/cosign/blob/main/KMS.md
+                                              type: string
+                                            publicKeys:
+                                              description: |-
+                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                When multiple keys are specified each key is processed as a separate staticKey entry
+                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            secret:
+                                              description: Reference to a Secret resource
+                                                that contains a public key
+                                              properties:
+                                                name:
+                                                  description: Name of the secret.
+                                                    The provided secret must contain
+                                                    a key named cosign.pub.
+                                                  type: string
+                                                namespace:
+                                                  description: Namespace name where
+                                                    the Secret exists.
+                                                  type: string
+                                              required:
+                                              - name
+                                              - namespace
+                                              type: object
+                                            signatureAlgorithm:
+                                              default: sha256
+                                              description: Specify signature algorithm
+                                                for public keys. Supported values
+                                                are sha224, sha256, sha384 and sha512.
+                                              type: string
+                                          type: object
+                                        repository:
+                                          description: |-
+                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                            If specified Repository will override other OCI image repository locations for this Attestor.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            dryRun:
+                              description: DryRun configuration
+                              properties:
+                                enable:
+                                  type: boolean
+                                namespace:
+                                  type: string
+                              type: object
+                            ignoreFields:
+                              description: Fields which will be ignored while comparing
+                                manifests.
+                              items:
+                                properties:
+                                  fields:
+                                    items:
+                                      type: string
+                                    type: array
+                                  objects:
+                                    items:
+                                      properties:
+                                        group:
+                                          type: string
+                                        kind:
+                                          type: string
+                                        name:
+                                          type: string
+                                        namespace:
+                                          type: string
+                                        version:
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            repository:
+                              description: |-
+                                Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                The repository can be overridden per Attestor or Attestation.
+                              type: string
+                          type: object
+                        message:
+                          description: Message specifies a custom message to be displayed
+                            on failure.
+                          type: string
+                        pattern:
+                          description: Pattern specifies an overlay-style pattern
+                            used to check resources.
+                          x-kubernetes-preserve-unknown-fields: true
+                        podSecurity:
+                          description: |-
+                            PodSecurity applies exemptions for Kubernetes Pod Security admission
+                            by specifying exclusions for Pod Security Standards controls.
+                          properties:
+                            exclude:
+                              description: Exclude specifies the Pod Security Standard
+                                controls to be excluded.
+                              items:
+                                description: PodSecurityStandard specifies the Pod
+                                  Security Standard controls to be excluded.
+                                properties:
+                                  controlName:
+                                    description: |-
+                                      ControlName specifies the name of the Pod Security Standard control.
+                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                    enum:
+                                    - HostProcess
+                                    - Host Namespaces
+                                    - Privileged Containers
+                                    - Capabilities
+                                    - HostPath Volumes
+                                    - Host Ports
+                                    - AppArmor
+                                    - SELinux
+                                    - /proc Mount Type
+                                    - Seccomp
+                                    - Sysctls
+                                    - Volume Types
+                                    - Privilege Escalation
+                                    - Running as Non-root
+                                    - Running as Non-root user
+                                    type: string
+                                  images:
+                                    description: |-
+                                      Images selects matching containers and applies the container level PSS.
+                                      Each image is the image name consisting of the registry address, repository, image, and tag.
+                                      Empty list matches no containers, PSS checks are applied at the pod level only.
+                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                    items:
+                                      type: string
+                                    type: array
+                                  restrictedField:
+                                    description: |-
+                                      RestrictedField selects the field for the given Pod Security Standard control.
+                                      When not set, all restricted fields for the control are selected.
+                                    type: string
+                                  values:
+                                    description: Values defines the allowed values
+                                      that can be excluded.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - controlName
+                                type: object
+                              type: array
+                            level:
+                              description: |-
+                                Level defines the Pod Security Standard level to be applied to workloads.
+                                Allowed values are privileged, baseline, and restricted.
+                              enum:
+                              - privileged
+                              - baseline
+                              - restricted
+                              type: string
+                            version:
+                              description: |-
+                                Version defines the Pod Security Standard versions that Kubernetes supports.
+                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                              enum:
+                              - v1.19
+                              - v1.20
+                              - v1.21
+                              - v1.22
+                              - v1.23
+                              - v1.24
+                              - v1.25
+                              - v1.26
+                              - v1.27
+                              - v1.28
+                              - v1.29
+                              - latest
+                              type: string
+                          type: object
+                        validationFailureAction:
+                          description: |-
+                            ValidationFailureAction defines if a validation policy rule violation should block
+                            the admission review request (Enforce), or allow (Audit) the admission review request
+                            and report an error in a policy report. Optional.
+                            Allowed values are Audit or Enforce.
+                          enum:
+                          - Audit
+                          - Enforce
+                          type: string
+                        validationFailureActionOverrides:
+                          description: |-
+                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                          items:
+                            properties:
+                              action:
+                                description: ValidationFailureAction defines the policy
+                                  validation failure action
+                                enum:
+                                - audit
+                                - enforce
+                                - Audit
+                                - Enforce
+                                type: string
+                              namespaceSelector:
+                                description: |-
+                                  A label selector is a label query over a set of resources. The result of matchLabels and
+                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                  label selector matches no objects.
+                                properties:
+                                  matchExpressions:
+                                    description: matchExpressions is a list of label
+                                      selector requirements. The requirements are
+                                      ANDed.
+                                    items:
+                                      description: |-
+                                        A label selector requirement is a selector that contains values, a key, and an operator that
+                                        relates the key and values.
+                                      properties:
+                                        key:
+                                          description: key is the label key that the
+                                            selector applies to.
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            operator represents a key's relationship to a set of values.
+                                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            values is an array of string values. If the operator is In or NotIn,
+                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                            the values array must be empty. This array is replaced during a strategic
+                                            merge patch.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      required:
+                                      - key
+                                      - operator
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  matchLabels:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                    type: object
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              namespaces:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    verifyImages:
+                      description: VerifyImages is used to verify image signatures
+                        and mutate them to add a digest
+                      items:
+                        description: |-
+                          ImageVerification validates that images that match the specified pattern
+                          are signed with the supplied public key. Once the image is verified it is
+                          mutated to include the SHA digest retrieved during the registration.
+                        properties:
+                          attestations:
+                            description: |-
+                              Attestations are optional checks for signed in-toto Statements used to verify the image.
+                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                              OCI registry and decodes them into a list of Statement declarations.
+                            items:
+                              description: |-
+                                Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                OCI registry and decodes them into a list of Statements.
+                              properties:
+                                attestors:
+                                  description: Attestors specify the required attestors
+                                    (i.e. authorities).
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                conditions:
+                                  description: |-
+                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                    the attestation check is satisfied as long there are predicates that match the predicate type.
+                                  items:
+                                    description: |-
+                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                      AllConditions get fulfilled only when all of its sub-conditions pass.
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                predicateType:
+                                  description: Deprecated in favour of 'Type', to
+                                    be removed soon
+                                  type: string
+                                type:
+                                  description: Type defines the type of attestation
+                                    contained within the Statement.
+                                  type: string
+                              type: object
+                            type: array
+                          attestors:
+                            description: Attestors specified the required attestors
+                              (i.e. authorities)
+                            items:
+                              properties:
+                                count:
+                                  description: |-
+                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                  minimum: 1
+                                  type: integer
+                                entries:
+                                  description: |-
+                                    Entries contains the available attestors. An attestor can be a static key,
+                                    attributes for keyless verification, or a nested attestor declaration.
+                                  items:
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations are used for image verification.
+                                          Every specified key-value pair must exist and match in the verified payload.
+                                          The payload may contain other key-value pairs.
+                                        type: object
+                                      attestor:
+                                        description: Attestor is a nested set of Attestor
+                                          used to specify a more complex set of match
+                                          authorities.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      certificates:
+                                        description: Certificates specifies one or
+                                          more certificates.
+                                        properties:
+                                          cert:
+                                            description: Cert is an optional PEM-encoded
+                                              public certificate.
+                                            type: string
+                                          certChain:
+                                            description: CertChain is an optional
+                                              PEM encoded set of certificates used
+                                              to verify.
+                                            type: string
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                        type: object
+                                      keyless:
+                                        description: |-
+                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                        properties:
+                                          additionalExtensions:
+                                            additionalProperties:
+                                              type: string
+                                            description: AdditionalExtensions are
+                                              certificate-extensions used for keyless
+                                              signing.
+                                            type: object
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          issuer:
+                                            description: Issuer is the certificate
+                                              issuer used for keyless signing.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          roots:
+                                            description: |-
+                                              Roots is an optional set of PEM encoded trusted root certificates.
+                                              If not provided, the system roots are used.
+                                            type: string
+                                          subject:
+                                            description: Subject is the verified identity
+                                              used for keyless signing, for example
+                                              the email address.
+                                            type: string
+                                        type: object
+                                      keys:
+                                        description: Keys specifies one or more public
+                                          keys.
+                                        properties:
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          kms:
+                                            description: |-
+                                              KMS provides the URI to the public key stored in a Key Management System. See:
+                                              https://github.com/sigstore/cosign/blob/main/KMS.md
+                                            type: string
+                                          publicKeys:
+                                            description: |-
+                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                              specified or can be a variable reference to a key specified in a ConfigMap (see
+                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                              elsewhere in the cluster by specifying it in the format "k8s:///".
+                                              The named Secret must specify a key `cosign.pub` containing the public key used for
+                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                              When multiple keys are specified each key is processed as a separate staticKey entry
+                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          secret:
+                                            description: Reference to a Secret resource
+                                              that contains a public key
+                                            properties:
+                                              name:
+                                                description: Name of the secret. The
+                                                  provided secret must contain a key
+                                                  named cosign.pub.
+                                                type: string
+                                              namespace:
+                                                description: Namespace name where
+                                                  the Secret exists.
+                                                type: string
+                                            required:
+                                            - name
+                                            - namespace
+                                            type: object
+                                          signatureAlgorithm:
+                                            default: sha256
+                                            description: Specify signature algorithm
+                                              for public keys. Supported values are
+                                              sha224, sha256, sha384 and sha512.
+                                            type: string
+                                        type: object
+                                      repository:
+                                        description: |-
+                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                          If specified Repository will override other OCI image repository locations for this Attestor.
+                                        type: string
+                                    type: object
+                                  type: array
+                              type: object
+                            type: array
+                          imageReferences:
+                            description: |-
+                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                              list must match the image for the rule to apply. Each image reference consists of a registry
+                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry.
+                                type: boolean
+                              providers:
+                                description: |-
+                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                  It can be of one of these values: default,google,azure,amazon,github.
+                                items:
+                                  description: ImageRegistryCredentialsProvidersType
+                                    provides the list of credential providers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: |-
+                                  Secrets specifies a list of secrets that are provided for credentials.
+                                  Secrets must live in the Kyverno namespace.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          mutateDigest:
+                            default: true
+                            description: |-
+                              MutateDigest enables replacement of image tags with digests.
+                              Defaults to true.
+                            type: boolean
+                          repository:
+                            description: |-
+                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                              If specified Repository will override the default OCI image repository configured for the installation.
+                              The repository can also be overridden per Attestor or Attestation.
+                            type: string
+                          required:
+                            default: true
+                            description: Required validates that images are verified
+                              i.e. have matched passed a signature or attestation
+                              check.
+                            type: boolean
+                          skipImageReferences:
+                            description: |-
+                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            description: |-
+                              Type specifies the method of signature validation. The allowed options
+                              are Cosign and Notary. By default Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
+                          useCache:
+                            default: true
+                            description: UseCache enables caching of image verify
+                              responses for this rule
+                            type: boolean
+                          validationFailureAction:
+                            description: Allowed values are Audit or Enforce.
+                            enum:
+                            - Audit
+                            - Enforce
+                            type: string
+                          verifyDigest:
+                            default: true
+                            description: VerifyDigest validates that images have a
+                              digest.
+                            type: boolean
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  type: object
+                type: array
+              schemaValidation:
+                description: Deprecated.
+                type: boolean
+              useServerSideApply:
+                description: |-
+                  UseServerSideApply controls whether to use server-side apply for generate rules
+                  If is set to "true" create & update for generate rules will use apply instead of create/update.
+                  Defaults to "false" if not specified.
+                type: boolean
+              validationFailureAction:
+                default: Audit
+                description: Deprecated, use validationFailureAction under the validate
+                  rule instead.
+                enum:
+                - audit
+                - enforce
+                - Audit
+                - Enforce
+                type: string
+              validationFailureActionOverrides:
+                description: Deprecated, use validationFailureActionOverrides under
+                  the validate rule instead.
+                items:
+                  properties:
+                    action:
+                      description: ValidationFailureAction defines the policy validation
+                        failure action
+                      enum:
+                      - audit
+                      - enforce
+                      - Audit
+                      - Enforce
+                      type: string
+                    namespaceSelector:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    namespaces:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              webhookConfiguration:
+                description: WebhookConfiguration specifies the custom configuration
+                  for Kubernetes admission webhookconfiguration.
+                properties:
+                  failurePolicy:
+                    description: |-
+                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+                      Rules within the same policy share the same failure behavior.
+                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+                      Allowed values are Ignore or Fail. Defaults to Fail.
+                    enum:
+                    - Ignore
+                    - Fail
+                    type: string
+                  matchConditions:
+                    description: |-
+                      MatchCondition configures admission webhook matchConditions.
+                      Requires Kubernetes 1.27 or later.
+                    items:
+                      description: MatchCondition represents a condition which must
+                        by fulfilled for a request to be sent to a webhook.
+                      properties:
+                        expression:
+                          description: |-
+                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                            'object' - The object from the incoming request. The value is null for DELETE requests.
+                            'oldObject' - The existing object. The value is null for CREATE requests.
+                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                              request resource.
+                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                            Required.
+                          type: string
+                        name:
+                          description: |-
+                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                            as well as providing an identifier for logging purposes. A good name should be descriptive of
+                            the associated expression.
+                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                            Required.
+                          type: string
+                      required:
+                      - expression
+                      - name
+                      type: object
+                    type: array
+                  timeoutSeconds:
+                    description: |-
+                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+                    format: int32
+                    type: integer
+                type: object
+              webhookTimeoutSeconds:
+                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+                  instead.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              autogen:
+                description: AutogenStatus contains autogen status information.
+                properties:
+                  rules:
+                    description: Rules is a list of Rule instances. It contains auto
+                      generated rules added for pod controllers
+                    items:
+                      description: |-
+                        Rule defines a validation, mutation, or generation control for matching resources.
+                        Each rules contains a match declaration to select resources, and an optional exclude
+                        declaration to specify which resources to exclude.
+                      properties:
+                        celPreconditions:
+                          description: |-
+                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of CEL conditions. It can only be used with the validate.cel subrule
+                          items:
+                            description: MatchCondition represents a condition which
+                              must by fulfilled for a request to be sent to a webhook.
+                            properties:
+                              expression:
+                                description: |-
+                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                                  'object' - The object from the incoming request. The value is null for DELETE requests.
+                                  'oldObject' - The existing object. The value is null for CREATE requests.
+                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                    request resource.
+                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                                  Required.
+                                type: string
+                              name:
+                                description: |-
+                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
+                                  the associated expression.
+                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                                  Required.
+                                type: string
+                            required:
+                            - expression
+                            - name
+                            type: object
+                          type: array
+                        context:
+                          description: Context defines variables and data sources
+                            that can be used during rule execution.
+                          items:
+                            description: |-
+                              ContextEntry adds variables and data sources to a rule Context. Either a
+                              ConfigMap reference or a APILookup must be provided.
+                            properties:
+                              apiCall:
+                                description: |-
+                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                  The data returned is stored in the context with the name for the context entry.
+                                properties:
+                                  data:
+                                    description: |-
+                                      The data object specifies the POST data sent to the server.
+                                      Only applicable when the method field is set to POST.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST). Defaults to GET.
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: |-
+                                      Service is an API call to a JSON web service.
+                                      This is used for non-Kubernetes API server calls.
+                                      It's mutually exclusive with the URLPath field.
+                                    properties:
+                                      caBundle:
+                                        description: |-
+                                          CABundle is a PEM encoded CA bundle which will be used to validate
+                                          the server certificate.
+                                        type: string
+                                      url:
+                                        description: |-
+                                          URL is the JSON web service URL. A typical form is
+                                          `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
+                                  urlPath:
+                                    description: |-
+                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      The format required is the same format used by the `kubectl get --raw` command.
+                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
+                                      It's mutually exclusive with the Service field.
+                                    type: string
+                                type: object
+                              configMap:
+                                description: ConfigMap is the ConfigMap reference.
+                                properties:
+                                  name:
+                                    description: Name is the ConfigMap name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace is the ConfigMap namespace.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              globalReference:
+                                description: GlobalContextEntryReference is a reference
+                                  to a cached global context entry.
+                                properties:
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  name:
+                                    description: Name of the global context entry
+                                    type: string
+                                type: object
+                              imageRegistry:
+                                description: |-
+                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                  details.
+                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry.
+                                        type: boolean
+                                      providers:
+                                        description: |-
+                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                          It can be of one of these values: default,google,azure,amazon,github.
+                                        items:
+                                          description: ImageRegistryCredentialsProvidersType
+                                            provides the list of credential providers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: |-
+                                          Secrets specifies a list of secrets that are provided for credentials.
+                                          Secrets must live in the Kyverno namespace.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the ImageData struct returned as a result of processing
+                                      the image reference.
+                                    type: string
+                                  reference:
+                                    description: |-
+                                      Reference is image reference to a container image in the registry.
+                                      Example: ghcr.io/kyverno/kyverno:latest
+                                    type: string
+                                required:
+                                - reference
+                                type: object
+                              name:
+                                description: Name is the variable name.
+                                type: string
+                              variable:
+                                description: Variable defines an arbitrary JMESPath
+                                  context variable that can be defined inline.
+                                properties:
+                                  default:
+                                    description: |-
+                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                      expression evaluates to nil
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JMESPath Expression that can be used to
+                                      transform the variable.
+                                    type: string
+                                  value:
+                                    description: Value is any arbitrary JSON object
+                                      representable in YAML or JSON form.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                            type: object
+                          type: array
+                        exclude:
+                          description: |-
+                            ExcludeResources defines when this policy rule should not be applied. The exclude
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the name or role.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        generate:
+                          description: Generation is used to create new resources.
+                          properties:
+                            apiVersion:
+                              description: APIVersion specifies resource apiVersion.
+                              type: string
+                            clone:
+                              description: |-
+                                Clone specifies the source resource used to populate each generated resource.
+                                At most one of Data or Clone can be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              properties:
+                                name:
+                                  description: Name specifies name of the resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                              type: object
+                            cloneList:
+                              description: CloneList specifies the list of source
+                                resource used to populate each generated resource.
+                              properties:
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels`.
+                                    wildcard characters are not supported.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            data:
+                              description: |-
+                                Data provides the resource declaration used to populate each generated resource.
+                                At most one of Data or Clone must be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              x-kubernetes-preserve-unknown-fields: true
+                            generateExisting:
+                              description: |-
+                                GenerateExisting controls whether to trigger the rule in existing resources
+                                If is set to "true" the rule will be triggered and applied to existing matched resources.
+                              type: boolean
+                            kind:
+                              description: Kind specifies resource kind.
+                              type: string
+                            name:
+                              description: Name specifies the resource name.
+                              type: string
+                            namespace:
+                              description: Namespace specifies resource namespace.
+                              type: string
+                            orphanDownstreamOnPolicyDelete:
+                              description: |-
+                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                                Defaults to "false" if not specified.
+                              type: boolean
+                            synchronize:
+                              description: |-
+                                Synchronize controls if generated resources should be kept in-sync with their source resource.
+                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                                data from Data or the resource specified in the Clone declaration.
+                                Optional. Defaults to "false" if not specified.
+                              type: boolean
+                            uid:
+                              description: UID specifies the resource uid.
+                              type: string
+                          type: object
+                        imageExtractors:
+                          additionalProperties:
+                            items:
+                              properties:
+                                jmesPath:
+                                  description: |-
+                                    JMESPath is an optional JMESPath expression to apply to the image value.
+                                    This is useful when the extracted image begins with a prefix like 'docker://'.
+                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                                  type: string
+                                key:
+                                  description: |-
+                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                    Note - this field MUST be unique.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name is the entry the image will be available under 'images.' in the context.
+                                    If this field is not defined, image entries will appear under 'images.custom'.
+                                  type: string
+                                path:
+                                  description: |-
+                                    Path is the path to the object containing the image field in a custom resource.
+                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                    Wildcard keys are expanded in case of arrays or objects.
+                                  type: string
+                                value:
+                                  description: |-
+                                    Value is an optional name of the field within 'path' that points to the image URI.
+                                    This is useful when a custom 'key' is also defined.
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            type: array
+                          description: |-
+                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                            This config is only valid for verifyImages rules.
+                          type: object
+                        match:
+                          description: |-
+                            MatchResources defines when this policy rule should be applied. The match
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the user name or role.
+                            At least one kind is required.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        mutate:
+                          description: Mutation is used to modify matching resources.
+                          properties:
+                            foreach:
+                              description: ForEach applies mutation rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  order:
+                                    description: |-
+                                      Order defines the iteration order on the list.
+                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
+                                  patchStrategicMerge:
+                                    description: |-
+                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  patchesJson6902:
+                                    description: |-
+                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            mutateExistingOnPolicyUpdate:
+                              description: MutateExistingOnPolicyUpdate controls if
+                                the mutateExisting rule will be applied on policy
+                                events.
+                              type: boolean
+                            patchStrategicMerge:
+                              description: |-
+                                PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                              x-kubernetes-preserve-unknown-fields: true
+                            patchesJson6902:
+                              description: |-
+                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                              type: string
+                            targets:
+                              description: Targets defines the target resources to
+                                be mutated.
+                              items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
+                                properties:
+                                  apiVersion:
+                                    description: APIVersion specifies resource apiVersion.
+                                    type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  kind:
+                                    description: Kind specifies resource kind.
+                                    type: string
+                                  name:
+                                    description: Name specifies the resource name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace specifies resource namespace.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  uid:
+                                    description: UID specifies the resource uid.
+                                    type: string
+                                type: object
+                              type: array
+                          type: object
+                        name:
+                          description: Name is a label to identify the rule, It must
+                            be unique within the policy.
+                          maxLength: 63
+                          type: string
+                        preconditions:
+                          description: |-
+                            Preconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                            will be deprecated in the next major release.
+                            See: https://kyverno.io/docs/writing-policies/preconditions/
+                          x-kubernetes-preserve-unknown-fields: true
+                        skipBackgroundRequests:
+                          default: true
+                          description: |-
+                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                            The default value is set to "true", it must be set to "false" to apply
+                            generate and mutateExisting rules to those requests.
+                          type: boolean
+                        validate:
+                          description: Validation is used to validate matching resources.
+                          properties:
+                            anyPattern:
+                              description: |-
+                                AnyPattern specifies list of validation patterns. At least one of the patterns
+                                must be satisfied for the validation rule to succeed.
+                              x-kubernetes-preserve-unknown-fields: true
+                            assert:
+                              description: Assert defines a kyverno-json assertion
+                                tree.
+                              type: object
+                              x-kubernetes-preserve-unknown-fields: true
+                            cel:
+                              description: CEL allows validation checks using the
+                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                              properties:
+                                auditAnnotations:
+                                  description: AuditAnnotations contains CEL expressions
+                                    which are used to produce audit annotations for
+                                    the audit event of the API request.
+                                  items:
+                                    description: AuditAnnotation describes how to
+                                      produce an audit annotation for an API request.
+                                    properties:
+                                      key:
+                                        description: |-
+                                          key specifies the audit annotation key. The audit annotation keys of
+                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                          The key is combined with the resource name of the
+                                          ValidatingAdmissionPolicy to construct an audit annotation key:
+                                          "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                          and the same audit annotation key, the annotation key will be identical.
+                                          In this case, the first annotation written with the key will be included
+                                          in the audit event and all subsequent annotations with the same key
+                                          will be discarded.
+
+
+                                          Required.
+                                        type: string
+                                      valueExpression:
+                                        description: |-
+                                          valueExpression represents the expression which is evaluated by CEL to
+                                          produce an audit annotation value. The expression must evaluate to either
+                                          a string or null value. If the expression evaluates to a string, the
+                                          audit annotation is included with the string value. If the expression
+                                          evaluates to null or empty string the audit annotation will be omitted.
+                                          The valueExpression may be no longer than 5kb in length.
+                                          If the result of the valueExpression is more than 10kb in length, it
+                                          will be truncated to 10kb.
+
+
+                                          If multiple ValidatingAdmissionPolicyBinding resources match an
+                                          API request, then the valueExpression will be evaluated for
+                                          each binding. All unique values produced by the valueExpressions
+                                          will be joined together in a comma-separated list.
+
+
+                                          Required.
+                                        type: string
+                                    required:
+                                    - key
+                                    - valueExpression
+                                    type: object
+                                  type: array
+                                expressions:
+                                  description: Expressions is a list of CELExpression
+                                    types.
+                                  items:
+                                    description: Validation specifies the CEL expression
+                                      which is used to apply the validation.
+                                    properties:
+                                      expression:
+                                        description: "Expression represents the expression
+                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                          expressions have access to the contents
+                                          of the API request/response, organized into
+                                          CEL variables as well as some other useful
+                                          variables:\n\n\n- 'object' - The object
+                                          from the incoming request. The value is
+                                          null for DELETE requests.\n- 'oldObject'
+                                          - The existing object. The value is null
+                                          for CREATE requests.\n- 'request' - Attributes
+                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                          'params' - Parameter resource referred to
+                                          by the policy binding being evaluated. Only
+                                          populated if the policy has a ParamKind.\n-
+                                          'namespaceObject' - The namespace object
+                                          that the incoming object belongs to. The
+                                          value is null for cluster-scoped resources.\n-
+                                          'variables' - Map of composited variables,
+                                          from its name to its lazily evaluated value.\n
+                                          \ For example, a variable named 'foo' can
+                                          be accessed as 'variables.foo'.\n- 'authorizer'
+                                          - A CEL Authorizer. May be used to perform
+                                          authorization checks for the principal (user
+                                          or service account) of the request.\n  See
+                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                          'authorizer.requestResource' - A CEL ResourceCheck
+                                          constructed from the 'authorizer' and configured
+                                          with the\n  request resource.\n\n\nThe `apiVersion`,
+                                          `kind`, `metadata.name` and `metadata.generateName`
+                                          are always accessible from the root of the\nobject.
+                                          No other metadata properties are accessible.\n\n\nOnly
+                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                          are accessible.\nAccessible property names
+                                          are escaped according to the following rules
+                                          when accessed in the expression:\n- '__'
+                                          escapes to '__underscores__'\n- '.' escapes
+                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
+                                          '/' escapes to '__slash__'\n- Property names
+                                          that exactly match a CEL RESERVED keyword
+                                          escape to '__{keyword}__'. The keywords
+                                          are:\n\t  \"true\", \"false\", \"null\",
+                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
+                                          \"else\", \"for\", \"function\", \"if\",\n\t
+                                          \ \"import\", \"let\", \"loop\", \"package\",
+                                          \"namespace\", \"return\".\nExamples:\n
+                                          \ - Expression accessing a property named
+                                          \"namespace\": {\"Expression\": \"object.__namespace__
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
+                                          > 0\"}\n\n\nEquality on arrays with list
+                                          type of 'set' or 'map' ignores element order,
+                                          i.e. [1, 2] == [2, 1].\nConcatenation on
+                                          arrays with x-kubernetes-list-type use the
+                                          semantics of the list type:\n  - 'set':
+                                          `X + Y` performs a union where the array
+                                          positions of all elements in `X` are preserved
+                                          and\n    non-intersecting elements in `Y`
+                                          are appended, retaining their partial order.\n
+                                          \ - 'map': `X + Y` performs a merge where
+                                          the array positions of all keys in `X` are
+                                          preserved but the values\n    are overwritten
+                                          by values in `Y` when the key sets of `X`
+                                          and `Y` intersect. Elements in `Y` with\n
+                                          \   non-intersecting keys are appended,
+                                          retaining their partial order.\nRequired."
+                                        type: string
+                                      message:
+                                        description: |-
+                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                          line breaks. The message must not contain line breaks.
+                                          If unset, the message is "failed rule: {Rule}".
+                                          e.g. "must be a URL with the host matching spec.host"
+                                          If the Expression contains line breaks. Message is required.
+                                          The message must not contain line breaks.
+                                          If unset, the message is "failed Expression: {Expression}".
+                                        type: string
+                                      messageExpression:
+                                        description: |-
+                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                          Since messageExpression is used as a failure message, it must evaluate to a string.
+                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                          Example:
+                                          "object.x must be less than max ("+string(params.max)+")"
+                                        type: string
+                                      reason:
+                                        description: |-
+                                          Reason represents a machine-readable description of why this validation failed.
+                                          If this is the first validation in the list to fail, this reason, as well as the
+                                          corresponding HTTP response code, are used in the
+                                          HTTP response to the client.
+                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                          If not set, StatusReasonInvalid is used in the response to the client.
+                                        type: string
+                                    required:
+                                    - expression
+                                    type: object
+                                  type: array
+                                paramKind:
+                                  description: ParamKind is a tuple of Group Kind
+                                    and Version.
+                                  properties:
+                                    apiVersion:
+                                      description: |-
+                                        APIVersion is the API group version the resources belong to.
+                                        In format of "group/version".
+                                        Required.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind is the API kind the resources belong to.
+                                        Required.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                paramRef:
+                                  description: ParamRef references a parameter resource.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        `name` is the name of the resource being referenced.
+
+
+                                        `name` and `selector` are mutually exclusive properties. If one is set,
+                                        the other must be unset.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        namespace is the namespace of the referenced resource. Allows limiting
+                                        the search for params to a specific namespace. Applies to both `name` and
+                                        `selector` fields.
+
+
+                                        A per-namespace parameter may be used by specifying a namespace-scoped
+                                        `paramKind` in the policy and leaving this field empty.
+
+
+                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                        field results in a configuration error.
+
+
+                                        - If `paramKind` is namespace-scoped, the namespace of the object being
+                                        evaluated for admission will be used when this field is left unset. Take
+                                        care that if this is left empty the binding must not match any cluster-scoped
+                                        resources, which will result in an error.
+                                      type: string
+                                    parameterNotFoundAction:
+                                      description: |-
+                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                        exists, and name or selector is valid, but there are no parameters
+                                        matched by the binding. If the value is set to `Allow`, then no
+                                        matched parameters will be treated as successful validation by the binding.
+                                        If set to `Deny`, then no matched parameters will be subject to the
+                                        `failurePolicy` of the policy.
+
+
+                                        Allowed values are `Allow` or `Deny`
+                                        Default to `Deny`
+                                      type: string
+                                    selector:
+                                      description: |-
+                                        selector can be used to match multiple param objects based on their labels.
+                                        Supply selector: {} to match all resources of the ParamKind.
+
+
+                                        If multiple params are found, they are all evaluated with the policy expressions
+                                        and the results are ANDed together.
+
+
+                                        One of `name` or `selector` must be set, but `name` and `selector` are
+                                        mutually exclusive properties. If one is set, the other must be unset.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                variables:
+                                  description: |-
+                                    Variables contain definitions of variables that can be used in composition of other expressions.
+                                    Each variable is defined as a named CEL expression.
+                                    The variables defined here will be available under `variables` in other expressions of the policy.
+                                  items:
+                                    description: Variable is the definition of a variable
+                                      that is used for composition.
+                                    properties:
+                                      expression:
+                                        description: |-
+                                          Expression is the expression that will be evaluated as the value of the variable.
+                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                        type: string
+                                      name:
+                                        description: |-
+                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                          The variable can be accessed in other expressions through `variables`
+                                          For example, if name is "foo", the variable will be available as `variables.foo`
+                                        type: string
+                                    required:
+                                    - expression
+                                    - name
+                                    type: object
+                                  type: array
+                              type: object
+                            deny:
+                              description: Deny defines conditions used to pass or
+                                fail a validation rule.
+                              properties:
+                                conditions:
+                                  description: |-
+                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                    but will be deprecated in the next major release.
+                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                  x-kubernetes-preserve-unknown-fields: true
+                              type: object
+                            foreach:
+                              description: ForEach applies validate rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  anyPattern:
+                                    description: |-
+                                      AnyPattern specifies list of validation patterns. At least one of the patterns
+                                      must be satisfied for the validation rule to succeed.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  deny:
+                                    description: Deny defines conditions used to pass
+                                      or fail a validation rule.
+                                    properties:
+                                      conditions:
+                                        description: |-
+                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                          but will be deprecated in the next major release.
+                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  elementScope:
+                                    description: |-
+                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                      When set to "false", "request.object" is used as the validation scope within the foreach
+                                      block to allow referencing other elements in the subtree.
+                                    type: boolean
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  pattern:
+                                    description: Pattern specifies an overlay-style
+                                      pattern used to check resources.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            manifests:
+                              description: Manifest specifies conditions for manifest
+                                verification
+                              properties:
+                                annotationDomain:
+                                  description: AnnotationDomain is custom domain of
+                                    annotation for message and signature. Default
+                                    is "cosign.sigstore.dev".
+                                  type: string
+                                attestors:
+                                  description: Attestors specified the required attestors
+                                    (i.e. authorities)
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                dryRun:
+                                  description: DryRun configuration
+                                  properties:
+                                    enable:
+                                      type: boolean
+                                    namespace:
+                                      type: string
+                                  type: object
+                                ignoreFields:
+                                  description: Fields which will be ignored while
+                                    comparing manifests.
+                                  items:
+                                    properties:
+                                      fields:
+                                        items:
+                                          type: string
+                                        type: array
+                                      objects:
+                                        items:
+                                          properties:
+                                            group:
+                                              type: string
+                                            kind:
+                                              type: string
+                                            name:
+                                              type: string
+                                            namespace:
+                                              type: string
+                                            version:
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                repository:
+                                  description: |-
+                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                    The repository can be overridden per Attestor or Attestation.
+                                  type: string
+                              type: object
+                            message:
+                              description: Message specifies a custom message to be
+                                displayed on failure.
+                              type: string
+                            pattern:
+                              description: Pattern specifies an overlay-style pattern
+                                used to check resources.
+                              x-kubernetes-preserve-unknown-fields: true
+                            podSecurity:
+                              description: |-
+                                PodSecurity applies exemptions for Kubernetes Pod Security admission
+                                by specifying exclusions for Pod Security Standards controls.
+                              properties:
+                                exclude:
+                                  description: Exclude specifies the Pod Security
+                                    Standard controls to be excluded.
+                                  items:
+                                    description: PodSecurityStandard specifies the
+                                      Pod Security Standard controls to be excluded.
+                                    properties:
+                                      controlName:
+                                        description: |-
+                                          ControlName specifies the name of the Pod Security Standard control.
+                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                        enum:
+                                        - HostProcess
+                                        - Host Namespaces
+                                        - Privileged Containers
+                                        - Capabilities
+                                        - HostPath Volumes
+                                        - Host Ports
+                                        - AppArmor
+                                        - SELinux
+                                        - /proc Mount Type
+                                        - Seccomp
+                                        - Sysctls
+                                        - Volume Types
+                                        - Privilege Escalation
+                                        - Running as Non-root
+                                        - Running as Non-root user
+                                        type: string
+                                      images:
+                                        description: |-
+                                          Images selects matching containers and applies the container level PSS.
+                                          Each image is the image name consisting of the registry address, repository, image, and tag.
+                                          Empty list matches no containers, PSS checks are applied at the pod level only.
+                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                        items:
+                                          type: string
+                                        type: array
+                                      restrictedField:
+                                        description: |-
+                                          RestrictedField selects the field for the given Pod Security Standard control.
+                                          When not set, all restricted fields for the control are selected.
+                                        type: string
+                                      values:
+                                        description: Values defines the allowed values
+                                          that can be excluded.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - controlName
+                                    type: object
+                                  type: array
+                                level:
+                                  description: |-
+                                    Level defines the Pod Security Standard level to be applied to workloads.
+                                    Allowed values are privileged, baseline, and restricted.
+                                  enum:
+                                  - privileged
+                                  - baseline
+                                  - restricted
+                                  type: string
+                                version:
+                                  description: |-
+                                    Version defines the Pod Security Standard versions that Kubernetes supports.
+                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                                  enum:
+                                  - v1.19
+                                  - v1.20
+                                  - v1.21
+                                  - v1.22
+                                  - v1.23
+                                  - v1.24
+                                  - v1.25
+                                  - v1.26
+                                  - v1.27
+                                  - v1.28
+                                  - v1.29
+                                  - latest
+                                  type: string
+                              type: object
+                            validationFailureAction:
+                              description: |-
+                                ValidationFailureAction defines if a validation policy rule violation should block
+                                the admission review request (Enforce), or allow (Audit) the admission review request
+                                and report an error in a policy report. Optional.
+                                Allowed values are Audit or Enforce.
+                              enum:
+                              - Audit
+                              - Enforce
+                              type: string
+                            validationFailureActionOverrides:
+                              description: |-
+                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                              items:
+                                properties:
+                                  action:
+                                    description: ValidationFailureAction defines the
+                                      policy validation failure action
+                                    enum:
+                                    - audit
+                                    - enforce
+                                    - Audit
+                                    - Enforce
+                                    type: string
+                                  namespaceSelector:
+                                    description: |-
+                                      A label selector is a label query over a set of resources. The result of matchLabels and
+                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                      label selector matches no objects.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              type: array
+                          type: object
+                        verifyImages:
+                          description: VerifyImages is used to verify image signatures
+                            and mutate them to add a digest
+                          items:
+                            description: |-
+                              ImageVerification validates that images that match the specified pattern
+                              are signed with the supplied public key. Once the image is verified it is
+                              mutated to include the SHA digest retrieved during the registration.
+                            properties:
+                              additionalExtensions:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated.
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated. Use annotations per Attestor
+                                  instead.
+                                type: object
+                              attestations:
+                                description: |-
+                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
+                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                  OCI registry and decodes them into a list of Statement declarations.
+                                items:
+                                  description: |-
+                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                    OCI registry and decodes them into a list of Statements.
+                                  properties:
+                                    attestors:
+                                      description: Attestors specify the required
+                                        attestors (i.e. authorities).
+                                      items:
+                                        properties:
+                                          count:
+                                            description: |-
+                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                            minimum: 1
+                                            type: integer
+                                          entries:
+                                            description: |-
+                                              Entries contains the available attestors. An attestor can be a static key,
+                                              attributes for keyless verification, or a nested attestor declaration.
+                                            items:
+                                              properties:
+                                                annotations:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    Annotations are used for image verification.
+                                                    Every specified key-value pair must exist and match in the verified payload.
+                                                    The payload may contain other key-value pairs.
+                                                  type: object
+                                                attestor:
+                                                  description: Attestor is a nested
+                                                    set of Attestor used to specify
+                                                    a more complex set of match authorities.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                certificates:
+                                                  description: Certificates specifies
+                                                    one or more certificates.
+                                                  properties:
+                                                    cert:
+                                                      description: Cert is an optional
+                                                        PEM-encoded public certificate.
+                                                      type: string
+                                                    certChain:
+                                                      description: CertChain is an
+                                                        optional PEM encoded set of
+                                                        certificates used to verify.
+                                                      type: string
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                  type: object
+                                                keyless:
+                                                  description: |-
+                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                                  properties:
+                                                    additionalExtensions:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: AdditionalExtensions
+                                                        are certificate-extensions
+                                                        used for keyless signing.
+                                                      type: object
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    issuer:
+                                                      description: Issuer is the certificate
+                                                        issuer used for keyless signing.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    roots:
+                                                      description: |-
+                                                        Roots is an optional set of PEM encoded trusted root certificates.
+                                                        If not provided, the system roots are used.
+                                                      type: string
+                                                    subject:
+                                                      description: Subject is the
+                                                        verified identity used for
+                                                        keyless signing, for example
+                                                        the email address.
+                                                      type: string
+                                                  type: object
+                                                keys:
+                                                  description: Keys specifies one
+                                                    or more public keys.
+                                                  properties:
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    kms:
+                                                      description: |-
+                                                        KMS provides the URI to the public key stored in a Key Management System. See:
+                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                      type: string
+                                                    publicKeys:
+                                                      description: |-
+                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                        elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                        When multiple keys are specified each key is processed as a separate staticKey entry
+                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    secret:
+                                                      description: Reference to a
+                                                        Secret resource that contains
+                                                        a public key
+                                                      properties:
+                                                        name:
+                                                          description: Name of the
+                                                            secret. The provided secret
+                                                            must contain a key named
+                                                            cosign.pub.
+                                                          type: string
+                                                        namespace:
+                                                          description: Namespace name
+                                                            where the Secret exists.
+                                                          type: string
+                                                      required:
+                                                      - name
+                                                      - namespace
+                                                      type: object
+                                                    signatureAlgorithm:
+                                                      default: sha256
+                                                      description: Specify signature
+                                                        algorithm for public keys.
+                                                        Supported values are sha224,
+                                                        sha256, sha384 and sha512.
+                                                      type: string
+                                                  type: object
+                                                repository:
+                                                  description: |-
+                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                    If specified Repository will override other OCI image repository locations for this Attestor.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    conditions:
+                                      description: |-
+                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                        the attestation check is satisfied as long there are predicates that match the predicate type.
+                                      items:
+                                        description: |-
+                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                          AllConditions get fulfilled only when all of its sub-conditions pass.
+                                        properties:
+                                          all:
+                                            description: |-
+                                              AllConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, all of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                          any:
+                                            description: |-
+                                              AnyConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, at least one of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    predicateType:
+                                      description: Deprecated in favour of 'Type',
+                                        to be removed soon
+                                      type: string
+                                    type:
+                                      description: Type defines the type of attestation
+                                        contained within the Statement.
+                                      type: string
+                                  type: object
+                                type: array
+                              attestors:
+                                description: Attestors specified the required attestors
+                                  (i.e. authorities)
+                                items:
+                                  properties:
+                                    count:
+                                      description: |-
+                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                      minimum: 1
+                                      type: integer
+                                    entries:
+                                      description: |-
+                                        Entries contains the available attestors. An attestor can be a static key,
+                                        attributes for keyless verification, or a nested attestor declaration.
+                                      items:
+                                        properties:
+                                          annotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              Annotations are used for image verification.
+                                              Every specified key-value pair must exist and match in the verified payload.
+                                              The payload may contain other key-value pairs.
+                                            type: object
+                                          attestor:
+                                            description: Attestor is a nested set
+                                              of Attestor used to specify a more complex
+                                              set of match authorities.
+                                            x-kubernetes-preserve-unknown-fields: true
+                                          certificates:
+                                            description: Certificates specifies one
+                                              or more certificates.
+                                            properties:
+                                              cert:
+                                                description: Cert is an optional PEM-encoded
+                                                  public certificate.
+                                                type: string
+                                              certChain:
+                                                description: CertChain is an optional
+                                                  PEM encoded set of certificates
+                                                  used to verify.
+                                                type: string
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                            type: object
+                                          keyless:
+                                            description: |-
+                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                            properties:
+                                              additionalExtensions:
+                                                additionalProperties:
+                                                  type: string
+                                                description: AdditionalExtensions
+                                                  are certificate-extensions used
+                                                  for keyless signing.
+                                                type: object
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              issuer:
+                                                description: Issuer is the certificate
+                                                  issuer used for keyless signing.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              roots:
+                                                description: |-
+                                                  Roots is an optional set of PEM encoded trusted root certificates.
+                                                  If not provided, the system roots are used.
+                                                type: string
+                                              subject:
+                                                description: Subject is the verified
+                                                  identity used for keyless signing,
+                                                  for example the email address.
+                                                type: string
+                                            type: object
+                                          keys:
+                                            description: Keys specifies one or more
+                                              public keys.
+                                            properties:
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              kms:
+                                                description: |-
+                                                  KMS provides the URI to the public key stored in a Key Management System. See:
+                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                type: string
+                                              publicKeys:
+                                                description: |-
+                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                  elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                  When multiple keys are specified each key is processed as a separate staticKey entry
+                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              secret:
+                                                description: Reference to a Secret
+                                                  resource that contains a public
+                                                  key
+                                                properties:
+                                                  name:
+                                                    description: Name of the secret.
+                                                      The provided secret must contain
+                                                      a key named cosign.pub.
+                                                    type: string
+                                                  namespace:
+                                                    description: Namespace name where
+                                                      the Secret exists.
+                                                    type: string
+                                                required:
+                                                - name
+                                                - namespace
+                                                type: object
+                                              signatureAlgorithm:
+                                                default: sha256
+                                                description: Specify signature algorithm
+                                                  for public keys. Supported values
+                                                  are sha224, sha256, sha384 and sha512.
+                                                type: string
+                                            type: object
+                                          repository:
+                                            description: |-
+                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                              If specified Repository will override other OCI image repository locations for this Attestor.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              cosignOCI11:
+                                description: |-
+                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+                                  Defaults to false.
+                                type: boolean
+                              image:
+                                description: Deprecated. Use ImageReferences instead.
+                                type: string
+                              imageReferences:
+                                description: |-
+                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                                  list must match the image for the rule to apply. Each image reference consists of a registry
+                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry.
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              issuer:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              key:
+                                description: Deprecated. Use StaticKeyAttestor instead.
+                                type: string
+                              mutateDigest:
+                                default: true
+                                description: |-
+                                  MutateDigest enables replacement of image tags with digests.
+                                  Defaults to true.
+                                type: boolean
+                              repository:
+                                description: |-
+                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                                  If specified Repository will override the default OCI image repository configured for the installation.
+                                  The repository can also be overridden per Attestor or Attestation.
+                                type: string
+                              required:
+                                default: true
+                                description: Required validates that images are verified
+                                  i.e. have matched passed a signature or attestation
+                                  check.
+                                type: boolean
+                              roots:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              skipImageReferences:
+                                description: |-
+                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              subject:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              type:
+                                description: |-
+                                  Type specifies the method of signature validation. The allowed options
+                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
+                              useCache:
+                                default: true
+                                description: UseCache enables caching of image verify
+                                  responses for this rule.
+                                type: boolean
+                              validationFailureAction:
+                                description: Allowed values are Audit or Enforce.
+                                enum:
+                                - Audit
+                                - Enforce
+                                type: string
+                              verifyDigest:
+                                default: true
+                                description: VerifyDigest validates that images have
+                                  a digest.
+                                type: boolean
+                            type: object
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              ready:
+                description: Deprecated in favor of Conditions
+                type: boolean
+              rulecount:
+                description: |-
+                  RuleCountStatus contains four variables which describes counts for
+                  validate, generate, mutate and verify images rules
+                properties:
+                  generate:
+                    description: Count for generate rules in policy
+                    type: integer
+                  mutate:
+                    description: Count for mutate rules in policy
+                    type: integer
+                  validate:
+                    description: Count for validate rules in policy
+                    type: integer
+                  verifyimages:
+                    description: Count for verify image rules in policy
+                    type: integer
+                required:
+                - generate
+                - mutate
+                - validate
+                - verifyimages
+                type: object
+              validatingadmissionpolicy:
+                description: ValidatingAdmissionPolicy contains status information
+                properties:
+                  generated:
+                    description: Generated indicates whether a validating admission
+                      policy is generated from the policy or not
+                    type: boolean
+                  message:
+                    description: |-
+                      Message is a human readable message indicating details about the generation of validating admission policy
+                      It is an empty string when validating admission policy is successfully generated.
+                    type: string
+                required:
+                - generated
+                - message
+                type: object
+            required:
+            - ready
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
new file mode 100644
index 000000000000..d3a19ffb9d91
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_globalcontextentries.yaml
@@ -0,0 +1,254 @@
+{{- if .Values.groups.kyverno.globalcontextentries }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: globalcontextentries.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: GlobalContextEntry
+    listKind: GlobalContextEntryList
+    plural: globalcontextentries
+    shortNames:
+    - gctxentry
+    singular: globalcontextentry
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
+      name: READY
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - jsonPath: .spec.apiCall.refreshInterval
+      name: REFRESH INTERVAL
+      type: string
+    - jsonPath: .status.lastRefreshTime
+      name: LAST REFRESH
+      type: date
+    name: v2alpha1
+    schema:
+      openAPIV3Schema:
+        description: GlobalContextEntry declares resources to be cached.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy exception behaviors.
+            properties:
+              apiCall:
+                description: |-
+                  Stores results from an API call which will be cached.
+                  Mutually exclusive with KubernetesResource.
+                  This can be used to make calls to external (non-Kubernetes API server) services.
+                  It can also be used to make calls to the Kubernetes API server in such cases:
+                  1. A POST is needed to create a resource.
+                  2. Finer-grained control is needed. Example: To restrict the number of resources cached.
+                properties:
+                  data:
+                    description: |-
+                      The data object specifies the POST data sent to the server.
+                      Only applicable when the method field is set to POST.
+                    items:
+                      description: RequestData contains the HTTP POST data
+                      properties:
+                        key:
+                          description: Key is a unique identifier for the data value
+                          type: string
+                        value:
+                          description: Value is the data value
+                          x-kubernetes-preserve-unknown-fields: true
+                      required:
+                      - key
+                      - value
+                      type: object
+                    type: array
+                  method:
+                    default: GET
+                    description: Method is the HTTP request type (GET or POST). Defaults
+                      to GET.
+                    enum:
+                    - GET
+                    - POST
+                    type: string
+                  refreshInterval:
+                    default: 10m
+                    description: |-
+                      RefreshInterval defines the interval in duration at which to poll the APICall.
+                      The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix,
+                      such as "300ms", "1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+                    format: duration
+                    type: string
+                  service:
+                    description: |-
+                      Service is an API call to a JSON web service.
+                      This is used for non-Kubernetes API server calls.
+                      It's mutually exclusive with the URLPath field.
+                    properties:
+                      caBundle:
+                        description: |-
+                          CABundle is a PEM encoded CA bundle which will be used to validate
+                          the server certificate.
+                        type: string
+                      url:
+                        description: |-
+                          URL is the JSON web service URL. A typical form is
+                          `https://{service}.{namespace}:{port}/{path}`.
+                        type: string
+                    required:
+                    - url
+                    type: object
+                  urlPath:
+                    description: |-
+                      URLPath is the URL path to be used in the HTTP GET or POST request to the
+                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                      The format required is the same format used by the `kubectl get --raw` command.
+                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                      for details.
+                      It's mutually exclusive with the Service field.
+                    type: string
+                type: object
+              kubernetesResource:
+                description: |-
+                  Stores a list of Kubernetes resources which will be cached.
+                  Mutually exclusive with APICall.
+                properties:
+                  group:
+                    description: Group defines the group of the resource.
+                    type: string
+                  namespace:
+                    description: |-
+                      Namespace defines the namespace of the resource. Leave empty for cluster scoped resources.
+                      If left empty for namespaced resources, all resources from all namespaces will be cached.
+                    type: string
+                  resource:
+                    description: |-
+                      Resource defines the type of the resource.
+                      Requires the pluralized form of the resource kind in lowercase. (Ex., "deployments")
+                    type: string
+                  version:
+                    description: Version defines the version of the resource.
+                    type: string
+                required:
+                - group
+                - resource
+                - version
+                type: object
+            type: object
+          status:
+            description: Status contains globalcontextentry runtime data.
+            properties:
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              lastRefreshTime:
+                description: Indicates the time when the globalcontextentry was last
+                  refreshed successfully for the API Call
+                format: date-time
+                type: string
+              ready:
+                description: Deprecated in favor of Conditions
+                type: boolean
+            required:
+            - ready
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
new file mode 100644
index 000000000000..244acd44e166
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policies.yaml
@@ -0,0 +1,17315 @@
+{{- if .Values.groups.kyverno.policies }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: policies.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: Policy
+    listKind: PolicyList
+    plural: policies
+    shortNames:
+    - pol
+    singular: policy
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.admission
+      name: ADMISSION
+      type: boolean
+    - jsonPath: .spec.background
+      name: BACKGROUND
+      type: boolean
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
+      name: READY
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - jsonPath: .spec.failurePolicy
+      name: FAILURE POLICY
+      priority: 1
+      type: string
+    - jsonPath: .status.rulecount.validate
+      name: VALIDATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.mutate
+      name: MUTATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.generate
+      name: GENERATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.verifyimages
+      name: VERIFY IMAGES
+      priority: 1
+      type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          Policy declares validation, mutation, and generation behaviors for matching resources.
+          See: https://kyverno.io/docs/writing-policies/ for more information.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines policy behaviors and contains one or more rules.
+            properties:
+              admission:
+                default: true
+                description: |-
+                  Admission controls if rules are applied during admission.
+                  Optional. Default value is "true".
+                type: boolean
+              applyRules:
+                description: |-
+                  ApplyRules controls how rules in a policy are applied. Rule are processed in
+                  the order of declaration. When set to `One` processing stops after a rule has
+                  been applied i.e. the rule matches and results in a pass, fail, or error. When
+                  set to `All` all rules in the policy are processed. The default is `All`.
+                enum:
+                - All
+                - One
+                type: string
+              background:
+                default: true
+                description: |-
+                  Background controls if rules are applied to existing resources during a background scan.
+                  Optional. Default value is "true". The value must be set to "false" if the policy rule
+                  uses variables that are only available in the admission review request (e.g. user name).
+                type: boolean
+              failurePolicy:
+                description: Deprecated, use failurePolicy under the webhookConfiguration
+                  instead.
+                enum:
+                - Ignore
+                - Fail
+                type: string
+              generateExisting:
+                description: Deprecated, use generateExisting under the generate rule
+                  instead
+                type: boolean
+              generateExistingOnPolicyUpdate:
+                description: Deprecated, use generateExisting instead
+                type: boolean
+              mutateExistingOnPolicyUpdate:
+                description: Deprecated, use mutateExistingOnPolicyUpdate under the
+                  mutate rule instead
+                type: boolean
+              rules:
+                description: |-
+                  Rules is a list of Rule instances. A Policy contains multiple rules and
+                  each rule can validate, mutate, or generate resources.
+                items:
+                  description: |-
+                    Rule defines a validation, mutation, or generation control for matching resources.
+                    Each rules contains a match declaration to select resources, and an optional exclude
+                    declaration to specify which resources to exclude.
+                  properties:
+                    celPreconditions:
+                      description: |-
+                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of CEL conditions. It can only be used with the validate.cel subrule
+                      items:
+                        description: MatchCondition represents a condition which must
+                          by fulfilled for a request to be sent to a webhook.
+                        properties:
+                          expression:
+                            description: |-
+                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                              'object' - The object from the incoming request. The value is null for DELETE requests.
+                              'oldObject' - The existing object. The value is null for CREATE requests.
+                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                request resource.
+                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                              Required.
+                            type: string
+                          name:
+                            description: |-
+                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                              as well as providing an identifier for logging purposes. A good name should be descriptive of
+                              the associated expression.
+                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                              Required.
+                            type: string
+                        required:
+                        - expression
+                        - name
+                        type: object
+                      type: array
+                    context:
+                      description: Context defines variables and data sources that
+                        can be used during rule execution.
+                      items:
+                        description: |-
+                          ContextEntry adds variables and data sources to a rule Context. Either a
+                          ConfigMap reference or a APILookup must be provided.
+                        properties:
+                          apiCall:
+                            description: |-
+                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                              The data returned is stored in the context with the name for the context entry.
+                            properties:
+                              data:
+                                description: |-
+                                  The data object specifies the POST data sent to the server.
+                                  Only applicable when the method field is set to POST.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST). Defaults to GET.
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: |-
+                                  Service is an API call to a JSON web service.
+                                  This is used for non-Kubernetes API server calls.
+                                  It's mutually exclusive with the URLPath field.
+                                properties:
+                                  caBundle:
+                                    description: |-
+                                      CABundle is a PEM encoded CA bundle which will be used to validate
+                                      the server certificate.
+                                    type: string
+                                  url:
+                                    description: |-
+                                      URL is the JSON web service URL. A typical form is
+                                      `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
+                              urlPath:
+                                description: |-
+                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  The format required is the same format used by the `kubectl get --raw` command.
+                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
+                                  It's mutually exclusive with the Service field.
+                                type: string
+                            type: object
+                          configMap:
+                            description: ConfigMap is the ConfigMap reference.
+                            properties:
+                              name:
+                                description: Name is the ConfigMap name.
+                                type: string
+                              namespace:
+                                description: Namespace is the ConfigMap namespace.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          globalReference:
+                            description: GlobalContextEntryReference is a reference
+                              to a cached global context entry.
+                            properties:
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              name:
+                                description: Name of the global context entry
+                                type: string
+                            type: object
+                          imageRegistry:
+                            description: |-
+                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                              details.
+                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the ImageData struct returned as a result of processing
+                                  the image reference.
+                                type: string
+                              reference:
+                                description: |-
+                                  Reference is image reference to a container image in the registry.
+                                  Example: ghcr.io/kyverno/kyverno:latest
+                                type: string
+                            required:
+                            - reference
+                            type: object
+                          name:
+                            description: Name is the variable name.
+                            type: string
+                          variable:
+                            description: Variable defines an arbitrary JMESPath context
+                              variable that can be defined inline.
+                            properties:
+                              default:
+                                description: |-
+                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                  expression evaluates to nil
+                                x-kubernetes-preserve-unknown-fields: true
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JMESPath Expression that can be used to
+                                  transform the variable.
+                                type: string
+                              value:
+                                description: Value is any arbitrary JSON object representable
+                                  in YAML or JSON form.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                        type: object
+                      type: array
+                    exclude:
+                      description: |-
+                        ExcludeResources defines when this policy rule should not be applied. The exclude
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the name or role.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: |-
+                            ResourceDescription contains information about the resource being created or modified.
+                            Requires at least one tag to be specified when under MatchResources.
+                            Specifying ResourceDescription directly under match is being deprecated.
+                            Please specify under "any" or "all" instead.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    generate:
+                      description: Generation is used to create new resources.
+                      properties:
+                        apiVersion:
+                          description: APIVersion specifies resource apiVersion.
+                          type: string
+                        clone:
+                          description: |-
+                            Clone specifies the source resource used to populate each generated resource.
+                            At most one of Data or Clone can be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          properties:
+                            name:
+                              description: Name specifies name of the resource.
+                              type: string
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                          type: object
+                        cloneList:
+                          description: CloneList specifies the list of source resource
+                            used to populate each generated resource.
+                          properties:
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels`.
+                                wildcard characters are not supported.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        data:
+                          description: |-
+                            Data provides the resource declaration used to populate each generated resource.
+                            At most one of Data or Clone must be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          x-kubernetes-preserve-unknown-fields: true
+                        generateExisting:
+                          description: |-
+                            GenerateExisting controls whether to trigger the rule in existing resources
+                            If is set to "true" the rule will be triggered and applied to existing matched resources.
+                          type: boolean
+                        kind:
+                          description: Kind specifies resource kind.
+                          type: string
+                        name:
+                          description: Name specifies the resource name.
+                          type: string
+                        namespace:
+                          description: Namespace specifies resource namespace.
+                          type: string
+                        orphanDownstreamOnPolicyDelete:
+                          description: |-
+                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                            Defaults to "false" if not specified.
+                          type: boolean
+                        synchronize:
+                          description: |-
+                            Synchronize controls if generated resources should be kept in-sync with their source resource.
+                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                            data from Data or the resource specified in the Clone declaration.
+                            Optional. Defaults to "false" if not specified.
+                          type: boolean
+                        uid:
+                          description: UID specifies the resource uid.
+                          type: string
+                      type: object
+                    imageExtractors:
+                      additionalProperties:
+                        items:
+                          properties:
+                            jmesPath:
+                              description: |-
+                                JMESPath is an optional JMESPath expression to apply to the image value.
+                                This is useful when the extracted image begins with a prefix like 'docker://'.
+                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                              type: string
+                            key:
+                              description: |-
+                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                Note - this field MUST be unique.
+                              type: string
+                            name:
+                              description: |-
+                                Name is the entry the image will be available under 'images.' in the context.
+                                If this field is not defined, image entries will appear under 'images.custom'.
+                              type: string
+                            path:
+                              description: |-
+                                Path is the path to the object containing the image field in a custom resource.
+                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                Wildcard keys are expanded in case of arrays or objects.
+                              type: string
+                            value:
+                              description: |-
+                                Value is an optional name of the field within 'path' that points to the image URI.
+                                This is useful when a custom 'key' is also defined.
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      description: |-
+                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                        This config is only valid for verifyImages rules.
+                      type: object
+                    match:
+                      description: |-
+                        MatchResources defines when this policy rule should be applied. The match
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the user name or role.
+                        At least one kind is required.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: |-
+                            ResourceDescription contains information about the resource being created or modified.
+                            Requires at least one tag to be specified when under MatchResources.
+                            Specifying ResourceDescription directly under match is being deprecated.
+                            Please specify under "any" or "all" instead.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    mutate:
+                      description: Mutation is used to modify matching resources.
+                      properties:
+                        foreach:
+                          description: ForEach applies mutation rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
+                              logic.
+                            properties:
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              order:
+                                description: |-
+                                  Order defines the iteration order on the list.
+                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
+                              patchStrategicMerge:
+                                description: |-
+                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                x-kubernetes-preserve-unknown-fields: true
+                              patchesJson6902:
+                                description: |-
+                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        mutateExistingOnPolicyUpdate:
+                          description: MutateExistingOnPolicyUpdate controls if the
+                            mutateExisting rule will be applied on policy events.
+                          type: boolean
+                        patchStrategicMerge:
+                          description: |-
+                            PatchStrategicMerge is a strategic merge patch used to modify resources.
+                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                          x-kubernetes-preserve-unknown-fields: true
+                        patchesJson6902:
+                          description: |-
+                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                          type: string
+                        targets:
+                          description: Targets defines the target resources to be
+                            mutated.
+                          items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
+                            properties:
+                              apiVersion:
+                                description: APIVersion specifies resource apiVersion.
+                                type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              kind:
+                                description: Kind specifies resource kind.
+                                type: string
+                              name:
+                                description: Name specifies the resource name.
+                                type: string
+                              namespace:
+                                description: Namespace specifies resource namespace.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                  will be deprecated in the next major release.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                x-kubernetes-preserve-unknown-fields: true
+                              uid:
+                                description: UID specifies the resource uid.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    name:
+                      description: Name is a label to identify the rule, It must be
+                        unique within the policy.
+                      maxLength: 63
+                      type: string
+                    preconditions:
+                      description: |-
+                        Preconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                        of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                        will be deprecated in the next major release.
+                        See: https://kyverno.io/docs/writing-policies/preconditions/
+                      x-kubernetes-preserve-unknown-fields: true
+                    skipBackgroundRequests:
+                      default: true
+                      description: |-
+                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                        The default value is set to "true", it must be set to "false" to apply
+                        generate and mutateExisting rules to those requests.
+                      type: boolean
+                    validate:
+                      description: Validation is used to validate matching resources.
+                      properties:
+                        anyPattern:
+                          description: |-
+                            AnyPattern specifies list of validation patterns. At least one of the patterns
+                            must be satisfied for the validation rule to succeed.
+                          x-kubernetes-preserve-unknown-fields: true
+                        assert:
+                          description: Assert defines a kyverno-json assertion tree.
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        cel:
+                          description: CEL allows validation checks using the Common
+                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                          properties:
+                            auditAnnotations:
+                              description: AuditAnnotations contains CEL expressions
+                                which are used to produce audit annotations for the
+                                audit event of the API request.
+                              items:
+                                description: AuditAnnotation describes how to produce
+                                  an audit annotation for an API request.
+                                properties:
+                                  key:
+                                    description: |-
+                                      key specifies the audit annotation key. The audit annotation keys of
+                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                      The key is combined with the resource name of the
+                                      ValidatingAdmissionPolicy to construct an audit annotation key:
+                                      "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                      and the same audit annotation key, the annotation key will be identical.
+                                      In this case, the first annotation written with the key will be included
+                                      in the audit event and all subsequent annotations with the same key
+                                      will be discarded.
+
+
+                                      Required.
+                                    type: string
+                                  valueExpression:
+                                    description: |-
+                                      valueExpression represents the expression which is evaluated by CEL to
+                                      produce an audit annotation value. The expression must evaluate to either
+                                      a string or null value. If the expression evaluates to a string, the
+                                      audit annotation is included with the string value. If the expression
+                                      evaluates to null or empty string the audit annotation will be omitted.
+                                      The valueExpression may be no longer than 5kb in length.
+                                      If the result of the valueExpression is more than 10kb in length, it
+                                      will be truncated to 10kb.
+
+
+                                      If multiple ValidatingAdmissionPolicyBinding resources match an
+                                      API request, then the valueExpression will be evaluated for
+                                      each binding. All unique values produced by the valueExpressions
+                                      will be joined together in a comma-separated list.
+
+
+                                      Required.
+                                    type: string
+                                required:
+                                - key
+                                - valueExpression
+                                type: object
+                              type: array
+                            expressions:
+                              description: Expressions is a list of CELExpression
+                                types.
+                              items:
+                                description: Validation specifies the CEL expression
+                                  which is used to apply the validation.
+                                properties:
+                                  expression:
+                                    description: "Expression represents the expression
+                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                      expressions have access to the contents of the
+                                      API request/response, organized into CEL variables
+                                      as well as some other useful variables:\n\n\n-
+                                      'object' - The object from the incoming request.
+                                      The value is null for DELETE requests.\n- 'oldObject'
+                                      - The existing object. The value is null for
+                                      CREATE requests.\n- 'request' - Attributes of
+                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                      'params' - Parameter resource referred to by
+                                      the policy binding being evaluated. Only populated
+                                      if the policy has a ParamKind.\n- 'namespaceObject'
+                                      - The namespace object that the incoming object
+                                      belongs to. The value is null for cluster-scoped
+                                      resources.\n- 'variables' - Map of composited
+                                      variables, from its name to its lazily evaluated
+                                      value.\n  For example, a variable named 'foo'
+                                      can be accessed as 'variables.foo'.\n- 'authorizer'
+                                      - A CEL Authorizer. May be used to perform authorization
+                                      checks for the principal (user or service account)
+                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                      'authorizer.requestResource' - A CEL ResourceCheck
+                                      constructed from the 'authorizer' and configured
+                                      with the\n  request resource.\n\n\nThe `apiVersion`,
+                                      `kind`, `metadata.name` and `metadata.generateName`
+                                      are always accessible from the root of the\nobject.
+                                      No other metadata properties are accessible.\n\n\nOnly
+                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                      are accessible.\nAccessible property names are
+                                      escaped according to the following rules when
+                                      accessed in the expression:\n- '__' escapes
+                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
+                                      '-' escapes to '__dash__'\n- '/' escapes to
+                                      '__slash__'\n- Property names that exactly match
+                                      a CEL RESERVED keyword escape to '__{keyword}__'.
+                                      The keywords are:\n\t  \"true\", \"false\",
+                                      \"null\", \"in\", \"as\", \"break\", \"const\",
+                                      \"continue\", \"else\", \"for\", \"function\",
+                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
+                                      \"package\", \"namespace\", \"return\".\nExamples:\n
+                                      \ - Expression accessing a property named \"namespace\":
+                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
+                                      \ - Expression accessing a property named \"x-prop\":
+                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
+                                      \ - Expression accessing a property named \"redact__d\":
+                                      {\"Expression\": \"object.redact__underscores__d
+                                      > 0\"}\n\n\nEquality on arrays with list type
+                                      of 'set' or 'map' ignores element order, i.e.
+                                      [1, 2] == [2, 1].\nConcatenation on arrays with
+                                      x-kubernetes-list-type use the semantics of
+                                      the list type:\n  - 'set': `X + Y` performs
+                                      a union where the array positions of all elements
+                                      in `X` are preserved and\n    non-intersecting
+                                      elements in `Y` are appended, retaining their
+                                      partial order.\n  - 'map': `X + Y` performs
+                                      a merge where the array positions of all keys
+                                      in `X` are preserved but the values\n    are
+                                      overwritten by values in `Y` when the key sets
+                                      of `X` and `Y` intersect. Elements in `Y` with\n
+                                      \   non-intersecting keys are appended, retaining
+                                      their partial order.\nRequired."
+                                    type: string
+                                  message:
+                                    description: |-
+                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                      line breaks. The message must not contain line breaks.
+                                      If unset, the message is "failed rule: {Rule}".
+                                      e.g. "must be a URL with the host matching spec.host"
+                                      If the Expression contains line breaks. Message is required.
+                                      The message must not contain line breaks.
+                                      If unset, the message is "failed Expression: {Expression}".
+                                    type: string
+                                  messageExpression:
+                                    description: |-
+                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                      Since messageExpression is used as a failure message, it must evaluate to a string.
+                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                      Example:
+                                      "object.x must be less than max ("+string(params.max)+")"
+                                    type: string
+                                  reason:
+                                    description: |-
+                                      Reason represents a machine-readable description of why this validation failed.
+                                      If this is the first validation in the list to fail, this reason, as well as the
+                                      corresponding HTTP response code, are used in the
+                                      HTTP response to the client.
+                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                      If not set, StatusReasonInvalid is used in the response to the client.
+                                    type: string
+                                required:
+                                - expression
+                                type: object
+                              type: array
+                            paramKind:
+                              description: ParamKind is a tuple of Group Kind and
+                                Version.
+                              properties:
+                                apiVersion:
+                                  description: |-
+                                    APIVersion is the API group version the resources belong to.
+                                    In format of "group/version".
+                                    Required.
+                                  type: string
+                                kind:
+                                  description: |-
+                                    Kind is the API kind the resources belong to.
+                                    Required.
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            paramRef:
+                              description: ParamRef references a parameter resource.
+                              properties:
+                                name:
+                                  description: |-
+                                    `name` is the name of the resource being referenced.
+
+
+                                    `name` and `selector` are mutually exclusive properties. If one is set,
+                                    the other must be unset.
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    namespace is the namespace of the referenced resource. Allows limiting
+                                    the search for params to a specific namespace. Applies to both `name` and
+                                    `selector` fields.
+
+
+                                    A per-namespace parameter may be used by specifying a namespace-scoped
+                                    `paramKind` in the policy and leaving this field empty.
+
+
+                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                    field results in a configuration error.
+
+
+                                    - If `paramKind` is namespace-scoped, the namespace of the object being
+                                    evaluated for admission will be used when this field is left unset. Take
+                                    care that if this is left empty the binding must not match any cluster-scoped
+                                    resources, which will result in an error.
+                                  type: string
+                                parameterNotFoundAction:
+                                  description: |-
+                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                    exists, and name or selector is valid, but there are no parameters
+                                    matched by the binding. If the value is set to `Allow`, then no
+                                    matched parameters will be treated as successful validation by the binding.
+                                    If set to `Deny`, then no matched parameters will be subject to the
+                                    `failurePolicy` of the policy.
+
+
+                                    Allowed values are `Allow` or `Deny`
+                                    Default to `Deny`
+                                  type: string
+                                selector:
+                                  description: |-
+                                    selector can be used to match multiple param objects based on their labels.
+                                    Supply selector: {} to match all resources of the ParamKind.
+
+
+                                    If multiple params are found, they are all evaluated with the policy expressions
+                                    and the results are ANDed together.
+
+
+                                    One of `name` or `selector` must be set, but `name` and `selector` are
+                                    mutually exclusive properties. If one is set, the other must be unset.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            variables:
+                              description: |-
+                                Variables contain definitions of variables that can be used in composition of other expressions.
+                                Each variable is defined as a named CEL expression.
+                                The variables defined here will be available under `variables` in other expressions of the policy.
+                              items:
+                                description: Variable is the definition of a variable
+                                  that is used for composition.
+                                properties:
+                                  expression:
+                                    description: |-
+                                      Expression is the expression that will be evaluated as the value of the variable.
+                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                      The variable can be accessed in other expressions through `variables`
+                                      For example, if name is "foo", the variable will be available as `variables.foo`
+                                    type: string
+                                required:
+                                - expression
+                                - name
+                                type: object
+                              type: array
+                          type: object
+                        deny:
+                          description: Deny defines conditions used to pass or fail
+                            a validation rule.
+                          properties:
+                            conditions:
+                              description: |-
+                                Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                but will be deprecated in the next major release.
+                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                              x-kubernetes-preserve-unknown-fields: true
+                          type: object
+                        foreach:
+                          description: ForEach applies validate rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
+                            properties:
+                              anyPattern:
+                                description: |-
+                                  AnyPattern specifies list of validation patterns. At least one of the patterns
+                                  must be satisfied for the validation rule to succeed.
+                                x-kubernetes-preserve-unknown-fields: true
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              deny:
+                                description: Deny defines conditions used to pass
+                                  or fail a validation rule.
+                                properties:
+                                  conditions:
+                                    description: |-
+                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                      but will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              elementScope:
+                                description: |-
+                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                  When set to "false", "request.object" is used as the validation scope within the foreach
+                                  block to allow referencing other elements in the subtree.
+                                type: boolean
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              pattern:
+                                description: Pattern specifies an overlay-style pattern
+                                  used to check resources.
+                                x-kubernetes-preserve-unknown-fields: true
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        manifests:
+                          description: Manifest specifies conditions for manifest
+                            verification
+                          properties:
+                            annotationDomain:
+                              description: AnnotationDomain is custom domain of annotation
+                                for message and signature. Default is "cosign.sigstore.dev".
+                              type: string
+                            attestors:
+                              description: Attestors specified the required attestors
+                                (i.e. authorities)
+                              items:
+                                properties:
+                                  count:
+                                    description: |-
+                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                    minimum: 1
+                                    type: integer
+                                  entries:
+                                    description: |-
+                                      Entries contains the available attestors. An attestor can be a static key,
+                                      attributes for keyless verification, or a nested attestor declaration.
+                                    items:
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            Annotations are used for image verification.
+                                            Every specified key-value pair must exist and match in the verified payload.
+                                            The payload may contain other key-value pairs.
+                                          type: object
+                                        attestor:
+                                          description: Attestor is a nested set of
+                                            Attestor used to specify a more complex
+                                            set of match authorities.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        certificates:
+                                          description: Certificates specifies one
+                                            or more certificates.
+                                          properties:
+                                            cert:
+                                              description: Cert is an optional PEM-encoded
+                                                public certificate.
+                                              type: string
+                                            certChain:
+                                              description: CertChain is an optional
+                                                PEM encoded set of certificates used
+                                                to verify.
+                                              type: string
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                          type: object
+                                        keyless:
+                                          description: |-
+                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                          properties:
+                                            additionalExtensions:
+                                              additionalProperties:
+                                                type: string
+                                              description: AdditionalExtensions are
+                                                certificate-extensions used for keyless
+                                                signing.
+                                              type: object
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            issuer:
+                                              description: Issuer is the certificate
+                                                issuer used for keyless signing.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            roots:
+                                              description: |-
+                                                Roots is an optional set of PEM encoded trusted root certificates.
+                                                If not provided, the system roots are used.
+                                              type: string
+                                            subject:
+                                              description: Subject is the verified
+                                                identity used for keyless signing,
+                                                for example the email address.
+                                              type: string
+                                          type: object
+                                        keys:
+                                          description: Keys specifies one or more
+                                            public keys.
+                                          properties:
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            kms:
+                                              description: |-
+                                                KMS provides the URI to the public key stored in a Key Management System. See:
+                                                https://github.com/sigstore/cosign/blob/main/KMS.md
+                                              type: string
+                                            publicKeys:
+                                              description: |-
+                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                When multiple keys are specified each key is processed as a separate staticKey entry
+                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            secret:
+                                              description: Reference to a Secret resource
+                                                that contains a public key
+                                              properties:
+                                                name:
+                                                  description: Name of the secret.
+                                                    The provided secret must contain
+                                                    a key named cosign.pub.
+                                                  type: string
+                                                namespace:
+                                                  description: Namespace name where
+                                                    the Secret exists.
+                                                  type: string
+                                              required:
+                                              - name
+                                              - namespace
+                                              type: object
+                                            signatureAlgorithm:
+                                              default: sha256
+                                              description: Specify signature algorithm
+                                                for public keys. Supported values
+                                                are sha224, sha256, sha384 and sha512.
+                                              type: string
+                                          type: object
+                                        repository:
+                                          description: |-
+                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                            If specified Repository will override other OCI image repository locations for this Attestor.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            dryRun:
+                              description: DryRun configuration
+                              properties:
+                                enable:
+                                  type: boolean
+                                namespace:
+                                  type: string
+                              type: object
+                            ignoreFields:
+                              description: Fields which will be ignored while comparing
+                                manifests.
+                              items:
+                                properties:
+                                  fields:
+                                    items:
+                                      type: string
+                                    type: array
+                                  objects:
+                                    items:
+                                      properties:
+                                        group:
+                                          type: string
+                                        kind:
+                                          type: string
+                                        name:
+                                          type: string
+                                        namespace:
+                                          type: string
+                                        version:
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            repository:
+                              description: |-
+                                Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                The repository can be overridden per Attestor or Attestation.
+                              type: string
+                          type: object
+                        message:
+                          description: Message specifies a custom message to be displayed
+                            on failure.
+                          type: string
+                        pattern:
+                          description: Pattern specifies an overlay-style pattern
+                            used to check resources.
+                          x-kubernetes-preserve-unknown-fields: true
+                        podSecurity:
+                          description: |-
+                            PodSecurity applies exemptions for Kubernetes Pod Security admission
+                            by specifying exclusions for Pod Security Standards controls.
+                          properties:
+                            exclude:
+                              description: Exclude specifies the Pod Security Standard
+                                controls to be excluded.
+                              items:
+                                description: PodSecurityStandard specifies the Pod
+                                  Security Standard controls to be excluded.
+                                properties:
+                                  controlName:
+                                    description: |-
+                                      ControlName specifies the name of the Pod Security Standard control.
+                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                    enum:
+                                    - HostProcess
+                                    - Host Namespaces
+                                    - Privileged Containers
+                                    - Capabilities
+                                    - HostPath Volumes
+                                    - Host Ports
+                                    - AppArmor
+                                    - SELinux
+                                    - /proc Mount Type
+                                    - Seccomp
+                                    - Sysctls
+                                    - Volume Types
+                                    - Privilege Escalation
+                                    - Running as Non-root
+                                    - Running as Non-root user
+                                    type: string
+                                  images:
+                                    description: |-
+                                      Images selects matching containers and applies the container level PSS.
+                                      Each image is the image name consisting of the registry address, repository, image, and tag.
+                                      Empty list matches no containers, PSS checks are applied at the pod level only.
+                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                    items:
+                                      type: string
+                                    type: array
+                                  restrictedField:
+                                    description: |-
+                                      RestrictedField selects the field for the given Pod Security Standard control.
+                                      When not set, all restricted fields for the control are selected.
+                                    type: string
+                                  values:
+                                    description: Values defines the allowed values
+                                      that can be excluded.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - controlName
+                                type: object
+                              type: array
+                            level:
+                              description: |-
+                                Level defines the Pod Security Standard level to be applied to workloads.
+                                Allowed values are privileged, baseline, and restricted.
+                              enum:
+                              - privileged
+                              - baseline
+                              - restricted
+                              type: string
+                            version:
+                              description: |-
+                                Version defines the Pod Security Standard versions that Kubernetes supports.
+                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                              enum:
+                              - v1.19
+                              - v1.20
+                              - v1.21
+                              - v1.22
+                              - v1.23
+                              - v1.24
+                              - v1.25
+                              - v1.26
+                              - v1.27
+                              - v1.28
+                              - v1.29
+                              - latest
+                              type: string
+                          type: object
+                        validationFailureAction:
+                          description: |-
+                            ValidationFailureAction defines if a validation policy rule violation should block
+                            the admission review request (Enforce), or allow (Audit) the admission review request
+                            and report an error in a policy report. Optional.
+                            Allowed values are Audit or Enforce.
+                          enum:
+                          - Audit
+                          - Enforce
+                          type: string
+                        validationFailureActionOverrides:
+                          description: |-
+                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                          items:
+                            properties:
+                              action:
+                                description: ValidationFailureAction defines the policy
+                                  validation failure action
+                                enum:
+                                - audit
+                                - enforce
+                                - Audit
+                                - Enforce
+                                type: string
+                              namespaceSelector:
+                                description: |-
+                                  A label selector is a label query over a set of resources. The result of matchLabels and
+                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                  label selector matches no objects.
+                                properties:
+                                  matchExpressions:
+                                    description: matchExpressions is a list of label
+                                      selector requirements. The requirements are
+                                      ANDed.
+                                    items:
+                                      description: |-
+                                        A label selector requirement is a selector that contains values, a key, and an operator that
+                                        relates the key and values.
+                                      properties:
+                                        key:
+                                          description: key is the label key that the
+                                            selector applies to.
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            operator represents a key's relationship to a set of values.
+                                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            values is an array of string values. If the operator is In or NotIn,
+                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                            the values array must be empty. This array is replaced during a strategic
+                                            merge patch.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      required:
+                                      - key
+                                      - operator
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  matchLabels:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                    type: object
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              namespaces:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    verifyImages:
+                      description: VerifyImages is used to verify image signatures
+                        and mutate them to add a digest
+                      items:
+                        description: |-
+                          ImageVerification validates that images that match the specified pattern
+                          are signed with the supplied public key. Once the image is verified it is
+                          mutated to include the SHA digest retrieved during the registration.
+                        properties:
+                          additionalExtensions:
+                            additionalProperties:
+                              type: string
+                            description: Deprecated.
+                            type: object
+                          annotations:
+                            additionalProperties:
+                              type: string
+                            description: Deprecated. Use annotations per Attestor
+                              instead.
+                            type: object
+                          attestations:
+                            description: |-
+                              Attestations are optional checks for signed in-toto Statements used to verify the image.
+                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                              OCI registry and decodes them into a list of Statement declarations.
+                            items:
+                              description: |-
+                                Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                OCI registry and decodes them into a list of Statements.
+                              properties:
+                                attestors:
+                                  description: Attestors specify the required attestors
+                                    (i.e. authorities).
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                conditions:
+                                  description: |-
+                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                    the attestation check is satisfied as long there are predicates that match the predicate type.
+                                  items:
+                                    description: |-
+                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                      AllConditions get fulfilled only when all of its sub-conditions pass.
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                predicateType:
+                                  description: Deprecated in favour of 'Type', to
+                                    be removed soon
+                                  type: string
+                                type:
+                                  description: Type defines the type of attestation
+                                    contained within the Statement.
+                                  type: string
+                              type: object
+                            type: array
+                          attestors:
+                            description: Attestors specified the required attestors
+                              (i.e. authorities)
+                            items:
+                              properties:
+                                count:
+                                  description: |-
+                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                  minimum: 1
+                                  type: integer
+                                entries:
+                                  description: |-
+                                    Entries contains the available attestors. An attestor can be a static key,
+                                    attributes for keyless verification, or a nested attestor declaration.
+                                  items:
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations are used for image verification.
+                                          Every specified key-value pair must exist and match in the verified payload.
+                                          The payload may contain other key-value pairs.
+                                        type: object
+                                      attestor:
+                                        description: Attestor is a nested set of Attestor
+                                          used to specify a more complex set of match
+                                          authorities.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      certificates:
+                                        description: Certificates specifies one or
+                                          more certificates.
+                                        properties:
+                                          cert:
+                                            description: Cert is an optional PEM-encoded
+                                              public certificate.
+                                            type: string
+                                          certChain:
+                                            description: CertChain is an optional
+                                              PEM encoded set of certificates used
+                                              to verify.
+                                            type: string
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                        type: object
+                                      keyless:
+                                        description: |-
+                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                        properties:
+                                          additionalExtensions:
+                                            additionalProperties:
+                                              type: string
+                                            description: AdditionalExtensions are
+                                              certificate-extensions used for keyless
+                                              signing.
+                                            type: object
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          issuer:
+                                            description: Issuer is the certificate
+                                              issuer used for keyless signing.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          roots:
+                                            description: |-
+                                              Roots is an optional set of PEM encoded trusted root certificates.
+                                              If not provided, the system roots are used.
+                                            type: string
+                                          subject:
+                                            description: Subject is the verified identity
+                                              used for keyless signing, for example
+                                              the email address.
+                                            type: string
+                                        type: object
+                                      keys:
+                                        description: Keys specifies one or more public
+                                          keys.
+                                        properties:
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          kms:
+                                            description: |-
+                                              KMS provides the URI to the public key stored in a Key Management System. See:
+                                              https://github.com/sigstore/cosign/blob/main/KMS.md
+                                            type: string
+                                          publicKeys:
+                                            description: |-
+                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                              specified or can be a variable reference to a key specified in a ConfigMap (see
+                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                              elsewhere in the cluster by specifying it in the format "k8s:///".
+                                              The named Secret must specify a key `cosign.pub` containing the public key used for
+                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                              When multiple keys are specified each key is processed as a separate staticKey entry
+                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          secret:
+                                            description: Reference to a Secret resource
+                                              that contains a public key
+                                            properties:
+                                              name:
+                                                description: Name of the secret. The
+                                                  provided secret must contain a key
+                                                  named cosign.pub.
+                                                type: string
+                                              namespace:
+                                                description: Namespace name where
+                                                  the Secret exists.
+                                                type: string
+                                            required:
+                                            - name
+                                            - namespace
+                                            type: object
+                                          signatureAlgorithm:
+                                            default: sha256
+                                            description: Specify signature algorithm
+                                              for public keys. Supported values are
+                                              sha224, sha256, sha384 and sha512.
+                                            type: string
+                                        type: object
+                                      repository:
+                                        description: |-
+                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                          If specified Repository will override other OCI image repository locations for this Attestor.
+                                        type: string
+                                    type: object
+                                  type: array
+                              type: object
+                            type: array
+                          cosignOCI11:
+                            description: |-
+                              CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+                              Defaults to false.
+                            type: boolean
+                          image:
+                            description: Deprecated. Use ImageReferences instead.
+                            type: string
+                          imageReferences:
+                            description: |-
+                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                              list must match the image for the rule to apply. Each image reference consists of a registry
+                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry.
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry.
+                                type: boolean
+                              providers:
+                                description: |-
+                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                  It can be of one of these values: default,google,azure,amazon,github.
+                                items:
+                                  description: ImageRegistryCredentialsProvidersType
+                                    provides the list of credential providers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: |-
+                                  Secrets specifies a list of secrets that are provided for credentials.
+                                  Secrets must live in the Kyverno namespace.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          issuer:
+                            description: Deprecated. Use KeylessAttestor instead.
+                            type: string
+                          key:
+                            description: Deprecated. Use StaticKeyAttestor instead.
+                            type: string
+                          mutateDigest:
+                            default: true
+                            description: |-
+                              MutateDigest enables replacement of image tags with digests.
+                              Defaults to true.
+                            type: boolean
+                          repository:
+                            description: |-
+                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                              If specified Repository will override the default OCI image repository configured for the installation.
+                              The repository can also be overridden per Attestor or Attestation.
+                            type: string
+                          required:
+                            default: true
+                            description: Required validates that images are verified
+                              i.e. have matched passed a signature or attestation
+                              check.
+                            type: boolean
+                          roots:
+                            description: Deprecated. Use KeylessAttestor instead.
+                            type: string
+                          skipImageReferences:
+                            description: |-
+                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          subject:
+                            description: Deprecated. Use KeylessAttestor instead.
+                            type: string
+                          type:
+                            description: |-
+                              Type specifies the method of signature validation. The allowed options
+                              are Cosign and Notary. By default Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
+                          useCache:
+                            default: true
+                            description: UseCache enables caching of image verify
+                              responses for this rule.
+                            type: boolean
+                          validationFailureAction:
+                            description: Allowed values are Audit or Enforce.
+                            enum:
+                            - Audit
+                            - Enforce
+                            type: string
+                          verifyDigest:
+                            default: true
+                            description: VerifyDigest validates that images have a
+                              digest.
+                            type: boolean
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  type: object
+                type: array
+              schemaValidation:
+                description: Deprecated.
+                type: boolean
+              useServerSideApply:
+                description: |-
+                  UseServerSideApply controls whether to use server-side apply for generate rules
+                  If is set to "true" create & update for generate rules will use apply instead of create/update.
+                  Defaults to "false" if not specified.
+                type: boolean
+              validationFailureAction:
+                default: Audit
+                description: Deprecated, use validationFailureAction under the validate
+                  rule instead.
+                enum:
+                - audit
+                - enforce
+                - Audit
+                - Enforce
+                type: string
+              validationFailureActionOverrides:
+                description: Deprecated, use validationFailureActionOverrides under
+                  the validate rule instead.
+                items:
+                  properties:
+                    action:
+                      description: ValidationFailureAction defines the policy validation
+                        failure action
+                      enum:
+                      - audit
+                      - enforce
+                      - Audit
+                      - Enforce
+                      type: string
+                    namespaceSelector:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    namespaces:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              webhookConfiguration:
+                description: WebhookConfiguration specifies the custom configuration
+                  for Kubernetes admission webhookconfiguration.
+                properties:
+                  failurePolicy:
+                    description: |-
+                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+                      Rules within the same policy share the same failure behavior.
+                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+                      Allowed values are Ignore or Fail. Defaults to Fail.
+                    enum:
+                    - Ignore
+                    - Fail
+                    type: string
+                  matchConditions:
+                    description: |-
+                      MatchCondition configures admission webhook matchConditions.
+                      Requires Kubernetes 1.27 or later.
+                    items:
+                      description: MatchCondition represents a condition which must
+                        by fulfilled for a request to be sent to a webhook.
+                      properties:
+                        expression:
+                          description: |-
+                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                            'object' - The object from the incoming request. The value is null for DELETE requests.
+                            'oldObject' - The existing object. The value is null for CREATE requests.
+                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                              request resource.
+                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                            Required.
+                          type: string
+                        name:
+                          description: |-
+                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                            as well as providing an identifier for logging purposes. A good name should be descriptive of
+                            the associated expression.
+                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                            Required.
+                          type: string
+                      required:
+                      - expression
+                      - name
+                      type: object
+                    type: array
+                  timeoutSeconds:
+                    description: |-
+                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+                    format: int32
+                    type: integer
+                type: object
+              webhookTimeoutSeconds:
+                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+                  instead.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: Deprecated. Policy metrics are available via the metrics
+              endpoint
+            properties:
+              autogen:
+                description: AutogenStatus contains autogen status information.
+                properties:
+                  rules:
+                    description: Rules is a list of Rule instances. It contains auto
+                      generated rules added for pod controllers
+                    items:
+                      description: |-
+                        Rule defines a validation, mutation, or generation control for matching resources.
+                        Each rules contains a match declaration to select resources, and an optional exclude
+                        declaration to specify which resources to exclude.
+                      properties:
+                        celPreconditions:
+                          description: |-
+                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of CEL conditions. It can only be used with the validate.cel subrule
+                          items:
+                            description: MatchCondition represents a condition which
+                              must by fulfilled for a request to be sent to a webhook.
+                            properties:
+                              expression:
+                                description: |-
+                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                                  'object' - The object from the incoming request. The value is null for DELETE requests.
+                                  'oldObject' - The existing object. The value is null for CREATE requests.
+                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                    request resource.
+                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                                  Required.
+                                type: string
+                              name:
+                                description: |-
+                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
+                                  the associated expression.
+                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                                  Required.
+                                type: string
+                            required:
+                            - expression
+                            - name
+                            type: object
+                          type: array
+                        context:
+                          description: Context defines variables and data sources
+                            that can be used during rule execution.
+                          items:
+                            description: |-
+                              ContextEntry adds variables and data sources to a rule Context. Either a
+                              ConfigMap reference or a APILookup must be provided.
+                            properties:
+                              apiCall:
+                                description: |-
+                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                  The data returned is stored in the context with the name for the context entry.
+                                properties:
+                                  data:
+                                    description: |-
+                                      The data object specifies the POST data sent to the server.
+                                      Only applicable when the method field is set to POST.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST). Defaults to GET.
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: |-
+                                      Service is an API call to a JSON web service.
+                                      This is used for non-Kubernetes API server calls.
+                                      It's mutually exclusive with the URLPath field.
+                                    properties:
+                                      caBundle:
+                                        description: |-
+                                          CABundle is a PEM encoded CA bundle which will be used to validate
+                                          the server certificate.
+                                        type: string
+                                      url:
+                                        description: |-
+                                          URL is the JSON web service URL. A typical form is
+                                          `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
+                                  urlPath:
+                                    description: |-
+                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      The format required is the same format used by the `kubectl get --raw` command.
+                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
+                                      It's mutually exclusive with the Service field.
+                                    type: string
+                                type: object
+                              configMap:
+                                description: ConfigMap is the ConfigMap reference.
+                                properties:
+                                  name:
+                                    description: Name is the ConfigMap name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace is the ConfigMap namespace.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              globalReference:
+                                description: GlobalContextEntryReference is a reference
+                                  to a cached global context entry.
+                                properties:
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  name:
+                                    description: Name of the global context entry
+                                    type: string
+                                type: object
+                              imageRegistry:
+                                description: |-
+                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                  details.
+                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry.
+                                        type: boolean
+                                      providers:
+                                        description: |-
+                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                          It can be of one of these values: default,google,azure,amazon,github.
+                                        items:
+                                          description: ImageRegistryCredentialsProvidersType
+                                            provides the list of credential providers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: |-
+                                          Secrets specifies a list of secrets that are provided for credentials.
+                                          Secrets must live in the Kyverno namespace.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the ImageData struct returned as a result of processing
+                                      the image reference.
+                                    type: string
+                                  reference:
+                                    description: |-
+                                      Reference is image reference to a container image in the registry.
+                                      Example: ghcr.io/kyverno/kyverno:latest
+                                    type: string
+                                required:
+                                - reference
+                                type: object
+                              name:
+                                description: Name is the variable name.
+                                type: string
+                              variable:
+                                description: Variable defines an arbitrary JMESPath
+                                  context variable that can be defined inline.
+                                properties:
+                                  default:
+                                    description: |-
+                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                      expression evaluates to nil
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JMESPath Expression that can be used to
+                                      transform the variable.
+                                    type: string
+                                  value:
+                                    description: Value is any arbitrary JSON object
+                                      representable in YAML or JSON form.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                            type: object
+                          type: array
+                        exclude:
+                          description: |-
+                            ExcludeResources defines when this policy rule should not be applied. The exclude
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the name or role.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        generate:
+                          description: Generation is used to create new resources.
+                          properties:
+                            apiVersion:
+                              description: APIVersion specifies resource apiVersion.
+                              type: string
+                            clone:
+                              description: |-
+                                Clone specifies the source resource used to populate each generated resource.
+                                At most one of Data or Clone can be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              properties:
+                                name:
+                                  description: Name specifies name of the resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                              type: object
+                            cloneList:
+                              description: CloneList specifies the list of source
+                                resource used to populate each generated resource.
+                              properties:
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels`.
+                                    wildcard characters are not supported.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            data:
+                              description: |-
+                                Data provides the resource declaration used to populate each generated resource.
+                                At most one of Data or Clone must be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              x-kubernetes-preserve-unknown-fields: true
+                            generateExisting:
+                              description: |-
+                                GenerateExisting controls whether to trigger the rule in existing resources
+                                If is set to "true" the rule will be triggered and applied to existing matched resources.
+                              type: boolean
+                            kind:
+                              description: Kind specifies resource kind.
+                              type: string
+                            name:
+                              description: Name specifies the resource name.
+                              type: string
+                            namespace:
+                              description: Namespace specifies resource namespace.
+                              type: string
+                            orphanDownstreamOnPolicyDelete:
+                              description: |-
+                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                                Defaults to "false" if not specified.
+                              type: boolean
+                            synchronize:
+                              description: |-
+                                Synchronize controls if generated resources should be kept in-sync with their source resource.
+                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                                data from Data or the resource specified in the Clone declaration.
+                                Optional. Defaults to "false" if not specified.
+                              type: boolean
+                            uid:
+                              description: UID specifies the resource uid.
+                              type: string
+                          type: object
+                        imageExtractors:
+                          additionalProperties:
+                            items:
+                              properties:
+                                jmesPath:
+                                  description: |-
+                                    JMESPath is an optional JMESPath expression to apply to the image value.
+                                    This is useful when the extracted image begins with a prefix like 'docker://'.
+                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                                  type: string
+                                key:
+                                  description: |-
+                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                    Note - this field MUST be unique.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name is the entry the image will be available under 'images.' in the context.
+                                    If this field is not defined, image entries will appear under 'images.custom'.
+                                  type: string
+                                path:
+                                  description: |-
+                                    Path is the path to the object containing the image field in a custom resource.
+                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                    Wildcard keys are expanded in case of arrays or objects.
+                                  type: string
+                                value:
+                                  description: |-
+                                    Value is an optional name of the field within 'path' that points to the image URI.
+                                    This is useful when a custom 'key' is also defined.
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            type: array
+                          description: |-
+                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                            This config is only valid for verifyImages rules.
+                          type: object
+                        match:
+                          description: |-
+                            MatchResources defines when this policy rule should be applied. The match
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the user name or role.
+                            At least one kind is required.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        mutate:
+                          description: Mutation is used to modify matching resources.
+                          properties:
+                            foreach:
+                              description: ForEach applies mutation rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  order:
+                                    description: |-
+                                      Order defines the iteration order on the list.
+                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
+                                  patchStrategicMerge:
+                                    description: |-
+                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  patchesJson6902:
+                                    description: |-
+                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            mutateExistingOnPolicyUpdate:
+                              description: MutateExistingOnPolicyUpdate controls if
+                                the mutateExisting rule will be applied on policy
+                                events.
+                              type: boolean
+                            patchStrategicMerge:
+                              description: |-
+                                PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                              x-kubernetes-preserve-unknown-fields: true
+                            patchesJson6902:
+                              description: |-
+                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                              type: string
+                            targets:
+                              description: Targets defines the target resources to
+                                be mutated.
+                              items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
+                                properties:
+                                  apiVersion:
+                                    description: APIVersion specifies resource apiVersion.
+                                    type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  kind:
+                                    description: Kind specifies resource kind.
+                                    type: string
+                                  name:
+                                    description: Name specifies the resource name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace specifies resource namespace.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  uid:
+                                    description: UID specifies the resource uid.
+                                    type: string
+                                type: object
+                              type: array
+                          type: object
+                        name:
+                          description: Name is a label to identify the rule, It must
+                            be unique within the policy.
+                          maxLength: 63
+                          type: string
+                        preconditions:
+                          description: |-
+                            Preconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                            will be deprecated in the next major release.
+                            See: https://kyverno.io/docs/writing-policies/preconditions/
+                          x-kubernetes-preserve-unknown-fields: true
+                        skipBackgroundRequests:
+                          default: true
+                          description: |-
+                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                            The default value is set to "true", it must be set to "false" to apply
+                            generate and mutateExisting rules to those requests.
+                          type: boolean
+                        validate:
+                          description: Validation is used to validate matching resources.
+                          properties:
+                            anyPattern:
+                              description: |-
+                                AnyPattern specifies list of validation patterns. At least one of the patterns
+                                must be satisfied for the validation rule to succeed.
+                              x-kubernetes-preserve-unknown-fields: true
+                            assert:
+                              description: Assert defines a kyverno-json assertion
+                                tree.
+                              type: object
+                              x-kubernetes-preserve-unknown-fields: true
+                            cel:
+                              description: CEL allows validation checks using the
+                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                              properties:
+                                auditAnnotations:
+                                  description: AuditAnnotations contains CEL expressions
+                                    which are used to produce audit annotations for
+                                    the audit event of the API request.
+                                  items:
+                                    description: AuditAnnotation describes how to
+                                      produce an audit annotation for an API request.
+                                    properties:
+                                      key:
+                                        description: |-
+                                          key specifies the audit annotation key. The audit annotation keys of
+                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                          The key is combined with the resource name of the
+                                          ValidatingAdmissionPolicy to construct an audit annotation key:
+                                          "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                          and the same audit annotation key, the annotation key will be identical.
+                                          In this case, the first annotation written with the key will be included
+                                          in the audit event and all subsequent annotations with the same key
+                                          will be discarded.
+
+
+                                          Required.
+                                        type: string
+                                      valueExpression:
+                                        description: |-
+                                          valueExpression represents the expression which is evaluated by CEL to
+                                          produce an audit annotation value. The expression must evaluate to either
+                                          a string or null value. If the expression evaluates to a string, the
+                                          audit annotation is included with the string value. If the expression
+                                          evaluates to null or empty string the audit annotation will be omitted.
+                                          The valueExpression may be no longer than 5kb in length.
+                                          If the result of the valueExpression is more than 10kb in length, it
+                                          will be truncated to 10kb.
+
+
+                                          If multiple ValidatingAdmissionPolicyBinding resources match an
+                                          API request, then the valueExpression will be evaluated for
+                                          each binding. All unique values produced by the valueExpressions
+                                          will be joined together in a comma-separated list.
+
+
+                                          Required.
+                                        type: string
+                                    required:
+                                    - key
+                                    - valueExpression
+                                    type: object
+                                  type: array
+                                expressions:
+                                  description: Expressions is a list of CELExpression
+                                    types.
+                                  items:
+                                    description: Validation specifies the CEL expression
+                                      which is used to apply the validation.
+                                    properties:
+                                      expression:
+                                        description: "Expression represents the expression
+                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                          expressions have access to the contents
+                                          of the API request/response, organized into
+                                          CEL variables as well as some other useful
+                                          variables:\n\n\n- 'object' - The object
+                                          from the incoming request. The value is
+                                          null for DELETE requests.\n- 'oldObject'
+                                          - The existing object. The value is null
+                                          for CREATE requests.\n- 'request' - Attributes
+                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                          'params' - Parameter resource referred to
+                                          by the policy binding being evaluated. Only
+                                          populated if the policy has a ParamKind.\n-
+                                          'namespaceObject' - The namespace object
+                                          that the incoming object belongs to. The
+                                          value is null for cluster-scoped resources.\n-
+                                          'variables' - Map of composited variables,
+                                          from its name to its lazily evaluated value.\n
+                                          \ For example, a variable named 'foo' can
+                                          be accessed as 'variables.foo'.\n- 'authorizer'
+                                          - A CEL Authorizer. May be used to perform
+                                          authorization checks for the principal (user
+                                          or service account) of the request.\n  See
+                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                          'authorizer.requestResource' - A CEL ResourceCheck
+                                          constructed from the 'authorizer' and configured
+                                          with the\n  request resource.\n\n\nThe `apiVersion`,
+                                          `kind`, `metadata.name` and `metadata.generateName`
+                                          are always accessible from the root of the\nobject.
+                                          No other metadata properties are accessible.\n\n\nOnly
+                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                          are accessible.\nAccessible property names
+                                          are escaped according to the following rules
+                                          when accessed in the expression:\n- '__'
+                                          escapes to '__underscores__'\n- '.' escapes
+                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
+                                          '/' escapes to '__slash__'\n- Property names
+                                          that exactly match a CEL RESERVED keyword
+                                          escape to '__{keyword}__'. The keywords
+                                          are:\n\t  \"true\", \"false\", \"null\",
+                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
+                                          \"else\", \"for\", \"function\", \"if\",\n\t
+                                          \ \"import\", \"let\", \"loop\", \"package\",
+                                          \"namespace\", \"return\".\nExamples:\n
+                                          \ - Expression accessing a property named
+                                          \"namespace\": {\"Expression\": \"object.__namespace__
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
+                                          > 0\"}\n\n\nEquality on arrays with list
+                                          type of 'set' or 'map' ignores element order,
+                                          i.e. [1, 2] == [2, 1].\nConcatenation on
+                                          arrays with x-kubernetes-list-type use the
+                                          semantics of the list type:\n  - 'set':
+                                          `X + Y` performs a union where the array
+                                          positions of all elements in `X` are preserved
+                                          and\n    non-intersecting elements in `Y`
+                                          are appended, retaining their partial order.\n
+                                          \ - 'map': `X + Y` performs a merge where
+                                          the array positions of all keys in `X` are
+                                          preserved but the values\n    are overwritten
+                                          by values in `Y` when the key sets of `X`
+                                          and `Y` intersect. Elements in `Y` with\n
+                                          \   non-intersecting keys are appended,
+                                          retaining their partial order.\nRequired."
+                                        type: string
+                                      message:
+                                        description: |-
+                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                          line breaks. The message must not contain line breaks.
+                                          If unset, the message is "failed rule: {Rule}".
+                                          e.g. "must be a URL with the host matching spec.host"
+                                          If the Expression contains line breaks. Message is required.
+                                          The message must not contain line breaks.
+                                          If unset, the message is "failed Expression: {Expression}".
+                                        type: string
+                                      messageExpression:
+                                        description: |-
+                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                          Since messageExpression is used as a failure message, it must evaluate to a string.
+                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                          Example:
+                                          "object.x must be less than max ("+string(params.max)+")"
+                                        type: string
+                                      reason:
+                                        description: |-
+                                          Reason represents a machine-readable description of why this validation failed.
+                                          If this is the first validation in the list to fail, this reason, as well as the
+                                          corresponding HTTP response code, are used in the
+                                          HTTP response to the client.
+                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                          If not set, StatusReasonInvalid is used in the response to the client.
+                                        type: string
+                                    required:
+                                    - expression
+                                    type: object
+                                  type: array
+                                paramKind:
+                                  description: ParamKind is a tuple of Group Kind
+                                    and Version.
+                                  properties:
+                                    apiVersion:
+                                      description: |-
+                                        APIVersion is the API group version the resources belong to.
+                                        In format of "group/version".
+                                        Required.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind is the API kind the resources belong to.
+                                        Required.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                paramRef:
+                                  description: ParamRef references a parameter resource.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        `name` is the name of the resource being referenced.
+
+
+                                        `name` and `selector` are mutually exclusive properties. If one is set,
+                                        the other must be unset.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        namespace is the namespace of the referenced resource. Allows limiting
+                                        the search for params to a specific namespace. Applies to both `name` and
+                                        `selector` fields.
+
+
+                                        A per-namespace parameter may be used by specifying a namespace-scoped
+                                        `paramKind` in the policy and leaving this field empty.
+
+
+                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                        field results in a configuration error.
+
+
+                                        - If `paramKind` is namespace-scoped, the namespace of the object being
+                                        evaluated for admission will be used when this field is left unset. Take
+                                        care that if this is left empty the binding must not match any cluster-scoped
+                                        resources, which will result in an error.
+                                      type: string
+                                    parameterNotFoundAction:
+                                      description: |-
+                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                        exists, and name or selector is valid, but there are no parameters
+                                        matched by the binding. If the value is set to `Allow`, then no
+                                        matched parameters will be treated as successful validation by the binding.
+                                        If set to `Deny`, then no matched parameters will be subject to the
+                                        `failurePolicy` of the policy.
+
+
+                                        Allowed values are `Allow` or `Deny`
+                                        Default to `Deny`
+                                      type: string
+                                    selector:
+                                      description: |-
+                                        selector can be used to match multiple param objects based on their labels.
+                                        Supply selector: {} to match all resources of the ParamKind.
+
+
+                                        If multiple params are found, they are all evaluated with the policy expressions
+                                        and the results are ANDed together.
+
+
+                                        One of `name` or `selector` must be set, but `name` and `selector` are
+                                        mutually exclusive properties. If one is set, the other must be unset.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                variables:
+                                  description: |-
+                                    Variables contain definitions of variables that can be used in composition of other expressions.
+                                    Each variable is defined as a named CEL expression.
+                                    The variables defined here will be available under `variables` in other expressions of the policy.
+                                  items:
+                                    description: Variable is the definition of a variable
+                                      that is used for composition.
+                                    properties:
+                                      expression:
+                                        description: |-
+                                          Expression is the expression that will be evaluated as the value of the variable.
+                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                        type: string
+                                      name:
+                                        description: |-
+                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                          The variable can be accessed in other expressions through `variables`
+                                          For example, if name is "foo", the variable will be available as `variables.foo`
+                                        type: string
+                                    required:
+                                    - expression
+                                    - name
+                                    type: object
+                                  type: array
+                              type: object
+                            deny:
+                              description: Deny defines conditions used to pass or
+                                fail a validation rule.
+                              properties:
+                                conditions:
+                                  description: |-
+                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                    but will be deprecated in the next major release.
+                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                  x-kubernetes-preserve-unknown-fields: true
+                              type: object
+                            foreach:
+                              description: ForEach applies validate rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  anyPattern:
+                                    description: |-
+                                      AnyPattern specifies list of validation patterns. At least one of the patterns
+                                      must be satisfied for the validation rule to succeed.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  deny:
+                                    description: Deny defines conditions used to pass
+                                      or fail a validation rule.
+                                    properties:
+                                      conditions:
+                                        description: |-
+                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                          but will be deprecated in the next major release.
+                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  elementScope:
+                                    description: |-
+                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                      When set to "false", "request.object" is used as the validation scope within the foreach
+                                      block to allow referencing other elements in the subtree.
+                                    type: boolean
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  pattern:
+                                    description: Pattern specifies an overlay-style
+                                      pattern used to check resources.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            manifests:
+                              description: Manifest specifies conditions for manifest
+                                verification
+                              properties:
+                                annotationDomain:
+                                  description: AnnotationDomain is custom domain of
+                                    annotation for message and signature. Default
+                                    is "cosign.sigstore.dev".
+                                  type: string
+                                attestors:
+                                  description: Attestors specified the required attestors
+                                    (i.e. authorities)
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                dryRun:
+                                  description: DryRun configuration
+                                  properties:
+                                    enable:
+                                      type: boolean
+                                    namespace:
+                                      type: string
+                                  type: object
+                                ignoreFields:
+                                  description: Fields which will be ignored while
+                                    comparing manifests.
+                                  items:
+                                    properties:
+                                      fields:
+                                        items:
+                                          type: string
+                                        type: array
+                                      objects:
+                                        items:
+                                          properties:
+                                            group:
+                                              type: string
+                                            kind:
+                                              type: string
+                                            name:
+                                              type: string
+                                            namespace:
+                                              type: string
+                                            version:
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                repository:
+                                  description: |-
+                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                    The repository can be overridden per Attestor or Attestation.
+                                  type: string
+                              type: object
+                            message:
+                              description: Message specifies a custom message to be
+                                displayed on failure.
+                              type: string
+                            pattern:
+                              description: Pattern specifies an overlay-style pattern
+                                used to check resources.
+                              x-kubernetes-preserve-unknown-fields: true
+                            podSecurity:
+                              description: |-
+                                PodSecurity applies exemptions for Kubernetes Pod Security admission
+                                by specifying exclusions for Pod Security Standards controls.
+                              properties:
+                                exclude:
+                                  description: Exclude specifies the Pod Security
+                                    Standard controls to be excluded.
+                                  items:
+                                    description: PodSecurityStandard specifies the
+                                      Pod Security Standard controls to be excluded.
+                                    properties:
+                                      controlName:
+                                        description: |-
+                                          ControlName specifies the name of the Pod Security Standard control.
+                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                        enum:
+                                        - HostProcess
+                                        - Host Namespaces
+                                        - Privileged Containers
+                                        - Capabilities
+                                        - HostPath Volumes
+                                        - Host Ports
+                                        - AppArmor
+                                        - SELinux
+                                        - /proc Mount Type
+                                        - Seccomp
+                                        - Sysctls
+                                        - Volume Types
+                                        - Privilege Escalation
+                                        - Running as Non-root
+                                        - Running as Non-root user
+                                        type: string
+                                      images:
+                                        description: |-
+                                          Images selects matching containers and applies the container level PSS.
+                                          Each image is the image name consisting of the registry address, repository, image, and tag.
+                                          Empty list matches no containers, PSS checks are applied at the pod level only.
+                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                        items:
+                                          type: string
+                                        type: array
+                                      restrictedField:
+                                        description: |-
+                                          RestrictedField selects the field for the given Pod Security Standard control.
+                                          When not set, all restricted fields for the control are selected.
+                                        type: string
+                                      values:
+                                        description: Values defines the allowed values
+                                          that can be excluded.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - controlName
+                                    type: object
+                                  type: array
+                                level:
+                                  description: |-
+                                    Level defines the Pod Security Standard level to be applied to workloads.
+                                    Allowed values are privileged, baseline, and restricted.
+                                  enum:
+                                  - privileged
+                                  - baseline
+                                  - restricted
+                                  type: string
+                                version:
+                                  description: |-
+                                    Version defines the Pod Security Standard versions that Kubernetes supports.
+                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                                  enum:
+                                  - v1.19
+                                  - v1.20
+                                  - v1.21
+                                  - v1.22
+                                  - v1.23
+                                  - v1.24
+                                  - v1.25
+                                  - v1.26
+                                  - v1.27
+                                  - v1.28
+                                  - v1.29
+                                  - latest
+                                  type: string
+                              type: object
+                            validationFailureAction:
+                              description: |-
+                                ValidationFailureAction defines if a validation policy rule violation should block
+                                the admission review request (Enforce), or allow (Audit) the admission review request
+                                and report an error in a policy report. Optional.
+                                Allowed values are Audit or Enforce.
+                              enum:
+                              - Audit
+                              - Enforce
+                              type: string
+                            validationFailureActionOverrides:
+                              description: |-
+                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                              items:
+                                properties:
+                                  action:
+                                    description: ValidationFailureAction defines the
+                                      policy validation failure action
+                                    enum:
+                                    - audit
+                                    - enforce
+                                    - Audit
+                                    - Enforce
+                                    type: string
+                                  namespaceSelector:
+                                    description: |-
+                                      A label selector is a label query over a set of resources. The result of matchLabels and
+                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                      label selector matches no objects.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              type: array
+                          type: object
+                        verifyImages:
+                          description: VerifyImages is used to verify image signatures
+                            and mutate them to add a digest
+                          items:
+                            description: |-
+                              ImageVerification validates that images that match the specified pattern
+                              are signed with the supplied public key. Once the image is verified it is
+                              mutated to include the SHA digest retrieved during the registration.
+                            properties:
+                              additionalExtensions:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated.
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated. Use annotations per Attestor
+                                  instead.
+                                type: object
+                              attestations:
+                                description: |-
+                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
+                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                  OCI registry and decodes them into a list of Statement declarations.
+                                items:
+                                  description: |-
+                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                    OCI registry and decodes them into a list of Statements.
+                                  properties:
+                                    attestors:
+                                      description: Attestors specify the required
+                                        attestors (i.e. authorities).
+                                      items:
+                                        properties:
+                                          count:
+                                            description: |-
+                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                            minimum: 1
+                                            type: integer
+                                          entries:
+                                            description: |-
+                                              Entries contains the available attestors. An attestor can be a static key,
+                                              attributes for keyless verification, or a nested attestor declaration.
+                                            items:
+                                              properties:
+                                                annotations:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    Annotations are used for image verification.
+                                                    Every specified key-value pair must exist and match in the verified payload.
+                                                    The payload may contain other key-value pairs.
+                                                  type: object
+                                                attestor:
+                                                  description: Attestor is a nested
+                                                    set of Attestor used to specify
+                                                    a more complex set of match authorities.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                certificates:
+                                                  description: Certificates specifies
+                                                    one or more certificates.
+                                                  properties:
+                                                    cert:
+                                                      description: Cert is an optional
+                                                        PEM-encoded public certificate.
+                                                      type: string
+                                                    certChain:
+                                                      description: CertChain is an
+                                                        optional PEM encoded set of
+                                                        certificates used to verify.
+                                                      type: string
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                  type: object
+                                                keyless:
+                                                  description: |-
+                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                                  properties:
+                                                    additionalExtensions:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: AdditionalExtensions
+                                                        are certificate-extensions
+                                                        used for keyless signing.
+                                                      type: object
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    issuer:
+                                                      description: Issuer is the certificate
+                                                        issuer used for keyless signing.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    roots:
+                                                      description: |-
+                                                        Roots is an optional set of PEM encoded trusted root certificates.
+                                                        If not provided, the system roots are used.
+                                                      type: string
+                                                    subject:
+                                                      description: Subject is the
+                                                        verified identity used for
+                                                        keyless signing, for example
+                                                        the email address.
+                                                      type: string
+                                                  type: object
+                                                keys:
+                                                  description: Keys specifies one
+                                                    or more public keys.
+                                                  properties:
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    kms:
+                                                      description: |-
+                                                        KMS provides the URI to the public key stored in a Key Management System. See:
+                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                      type: string
+                                                    publicKeys:
+                                                      description: |-
+                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                        elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                        When multiple keys are specified each key is processed as a separate staticKey entry
+                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    secret:
+                                                      description: Reference to a
+                                                        Secret resource that contains
+                                                        a public key
+                                                      properties:
+                                                        name:
+                                                          description: Name of the
+                                                            secret. The provided secret
+                                                            must contain a key named
+                                                            cosign.pub.
+                                                          type: string
+                                                        namespace:
+                                                          description: Namespace name
+                                                            where the Secret exists.
+                                                          type: string
+                                                      required:
+                                                      - name
+                                                      - namespace
+                                                      type: object
+                                                    signatureAlgorithm:
+                                                      default: sha256
+                                                      description: Specify signature
+                                                        algorithm for public keys.
+                                                        Supported values are sha224,
+                                                        sha256, sha384 and sha512.
+                                                      type: string
+                                                  type: object
+                                                repository:
+                                                  description: |-
+                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                    If specified Repository will override other OCI image repository locations for this Attestor.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    conditions:
+                                      description: |-
+                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                        the attestation check is satisfied as long there are predicates that match the predicate type.
+                                      items:
+                                        description: |-
+                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                          AllConditions get fulfilled only when all of its sub-conditions pass.
+                                        properties:
+                                          all:
+                                            description: |-
+                                              AllConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, all of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                          any:
+                                            description: |-
+                                              AnyConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, at least one of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    predicateType:
+                                      description: Deprecated in favour of 'Type',
+                                        to be removed soon
+                                      type: string
+                                    type:
+                                      description: Type defines the type of attestation
+                                        contained within the Statement.
+                                      type: string
+                                  type: object
+                                type: array
+                              attestors:
+                                description: Attestors specified the required attestors
+                                  (i.e. authorities)
+                                items:
+                                  properties:
+                                    count:
+                                      description: |-
+                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                      minimum: 1
+                                      type: integer
+                                    entries:
+                                      description: |-
+                                        Entries contains the available attestors. An attestor can be a static key,
+                                        attributes for keyless verification, or a nested attestor declaration.
+                                      items:
+                                        properties:
+                                          annotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              Annotations are used for image verification.
+                                              Every specified key-value pair must exist and match in the verified payload.
+                                              The payload may contain other key-value pairs.
+                                            type: object
+                                          attestor:
+                                            description: Attestor is a nested set
+                                              of Attestor used to specify a more complex
+                                              set of match authorities.
+                                            x-kubernetes-preserve-unknown-fields: true
+                                          certificates:
+                                            description: Certificates specifies one
+                                              or more certificates.
+                                            properties:
+                                              cert:
+                                                description: Cert is an optional PEM-encoded
+                                                  public certificate.
+                                                type: string
+                                              certChain:
+                                                description: CertChain is an optional
+                                                  PEM encoded set of certificates
+                                                  used to verify.
+                                                type: string
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                            type: object
+                                          keyless:
+                                            description: |-
+                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                            properties:
+                                              additionalExtensions:
+                                                additionalProperties:
+                                                  type: string
+                                                description: AdditionalExtensions
+                                                  are certificate-extensions used
+                                                  for keyless signing.
+                                                type: object
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              issuer:
+                                                description: Issuer is the certificate
+                                                  issuer used for keyless signing.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              roots:
+                                                description: |-
+                                                  Roots is an optional set of PEM encoded trusted root certificates.
+                                                  If not provided, the system roots are used.
+                                                type: string
+                                              subject:
+                                                description: Subject is the verified
+                                                  identity used for keyless signing,
+                                                  for example the email address.
+                                                type: string
+                                            type: object
+                                          keys:
+                                            description: Keys specifies one or more
+                                              public keys.
+                                            properties:
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              kms:
+                                                description: |-
+                                                  KMS provides the URI to the public key stored in a Key Management System. See:
+                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                type: string
+                                              publicKeys:
+                                                description: |-
+                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                  elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                  When multiple keys are specified each key is processed as a separate staticKey entry
+                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              secret:
+                                                description: Reference to a Secret
+                                                  resource that contains a public
+                                                  key
+                                                properties:
+                                                  name:
+                                                    description: Name of the secret.
+                                                      The provided secret must contain
+                                                      a key named cosign.pub.
+                                                    type: string
+                                                  namespace:
+                                                    description: Namespace name where
+                                                      the Secret exists.
+                                                    type: string
+                                                required:
+                                                - name
+                                                - namespace
+                                                type: object
+                                              signatureAlgorithm:
+                                                default: sha256
+                                                description: Specify signature algorithm
+                                                  for public keys. Supported values
+                                                  are sha224, sha256, sha384 and sha512.
+                                                type: string
+                                            type: object
+                                          repository:
+                                            description: |-
+                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                              If specified Repository will override other OCI image repository locations for this Attestor.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              cosignOCI11:
+                                description: |-
+                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+                                  Defaults to false.
+                                type: boolean
+                              image:
+                                description: Deprecated. Use ImageReferences instead.
+                                type: string
+                              imageReferences:
+                                description: |-
+                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                                  list must match the image for the rule to apply. Each image reference consists of a registry
+                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry.
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              issuer:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              key:
+                                description: Deprecated. Use StaticKeyAttestor instead.
+                                type: string
+                              mutateDigest:
+                                default: true
+                                description: |-
+                                  MutateDigest enables replacement of image tags with digests.
+                                  Defaults to true.
+                                type: boolean
+                              repository:
+                                description: |-
+                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                                  If specified Repository will override the default OCI image repository configured for the installation.
+                                  The repository can also be overridden per Attestor or Attestation.
+                                type: string
+                              required:
+                                default: true
+                                description: Required validates that images are verified
+                                  i.e. have matched passed a signature or attestation
+                                  check.
+                                type: boolean
+                              roots:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              skipImageReferences:
+                                description: |-
+                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              subject:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              type:
+                                description: |-
+                                  Type specifies the method of signature validation. The allowed options
+                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
+                              useCache:
+                                default: true
+                                description: UseCache enables caching of image verify
+                                  responses for this rule.
+                                type: boolean
+                              validationFailureAction:
+                                description: Allowed values are Audit or Enforce.
+                                enum:
+                                - Audit
+                                - Enforce
+                                type: string
+                              verifyDigest:
+                                default: true
+                                description: VerifyDigest validates that images have
+                                  a digest.
+                                type: boolean
+                            type: object
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              ready:
+                description: Deprecated in favor of Conditions
+                type: boolean
+              rulecount:
+                description: |-
+                  RuleCountStatus contains four variables which describes counts for
+                  validate, generate, mutate and verify images rules
+                properties:
+                  generate:
+                    description: Count for generate rules in policy
+                    type: integer
+                  mutate:
+                    description: Count for mutate rules in policy
+                    type: integer
+                  validate:
+                    description: Count for validate rules in policy
+                    type: integer
+                  verifyimages:
+                    description: Count for verify image rules in policy
+                    type: integer
+                required:
+                - generate
+                - mutate
+                - validate
+                - verifyimages
+                type: object
+              validatingadmissionpolicy:
+                description: ValidatingAdmissionPolicy contains status information
+                properties:
+                  generated:
+                    description: Generated indicates whether a validating admission
+                      policy is generated from the policy or not
+                    type: boolean
+                  message:
+                    description: |-
+                      Message is a human readable message indicating details about the generation of validating admission policy
+                      It is an empty string when validating admission policy is successfully generated.
+                    type: string
+                required:
+                - generated
+                - message
+                type: object
+            required:
+            - ready
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+  - additionalPrinterColumns:
+    - jsonPath: .spec.admission
+      name: ADMISSION
+      type: boolean
+    - jsonPath: .spec.background
+      name: BACKGROUND
+      type: boolean
+    - jsonPath: .status.conditions[?(@.type == "Ready")].status
+      name: READY
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: AGE
+      type: date
+    - jsonPath: .spec.failurePolicy
+      name: FAILURE POLICY
+      priority: 1
+      type: string
+    - jsonPath: .status.rulecount.validate
+      name: VALIDATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.mutate
+      name: MUTATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.generate
+      name: GENERATE
+      priority: 1
+      type: integer
+    - jsonPath: .status.rulecount.verifyimages
+      name: VERIFY IMAGES
+      priority: 1
+      type: integer
+    - jsonPath: .status.conditions[?(@.type == "Ready")].message
+      name: MESSAGE
+      type: string
+    name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: |-
+          Policy declares validation, mutation, and generation behaviors for matching resources.
+          See: https://kyverno.io/docs/writing-policies/ for more information.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec defines policy behaviors and contains one or more rules.
+            properties:
+              admission:
+                default: true
+                description: |-
+                  Admission controls if rules are applied during admission.
+                  Optional. Default value is "true".
+                type: boolean
+              applyRules:
+                description: |-
+                  ApplyRules controls how rules in a policy are applied. Rule are processed in
+                  the order of declaration. When set to `One` processing stops after a rule has
+                  been applied i.e. the rule matches and results in a pass, fail, or error. When
+                  set to `All` all rules in the policy are processed. The default is `All`.
+                enum:
+                - All
+                - One
+                type: string
+              background:
+                default: true
+                description: |-
+                  Background controls if rules are applied to existing resources during a background scan.
+                  Optional. Default value is "true". The value must be set to "false" if the policy rule
+                  uses variables that are only available in the admission review request (e.g. user name).
+                type: boolean
+              failurePolicy:
+                description: Deprecated, use failurePolicy under the webhookConfiguration
+                  instead.
+                enum:
+                - Ignore
+                - Fail
+                type: string
+              generateExisting:
+                description: Deprecated, use generateExisting under the generate rule
+                  instead
+                type: boolean
+              generateExistingOnPolicyUpdate:
+                description: Deprecated, use generateExisting instead
+                type: boolean
+              mutateExistingOnPolicyUpdate:
+                description: Deprecated, use mutateExistingOnPolicyUpdate under the
+                  mutate rule instead
+                type: boolean
+              rules:
+                description: |-
+                  Rules is a list of Rule instances. A Policy contains multiple rules and
+                  each rule can validate, mutate, or generate resources.
+                items:
+                  description: |-
+                    Rule defines a validation, mutation, or generation control for matching resources.
+                    Each rules contains a match declaration to select resources, and an optional exclude
+                    declaration to specify which resources to exclude.
+                  properties:
+                    celPreconditions:
+                      description: |-
+                        CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of CEL conditions. It can only be used with the validate.cel subrule
+                      items:
+                        description: MatchCondition represents a condition which must
+                          by fulfilled for a request to be sent to a webhook.
+                        properties:
+                          expression:
+                            description: |-
+                              Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                              CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                              'object' - The object from the incoming request. The value is null for DELETE requests.
+                              'oldObject' - The existing object. The value is null for CREATE requests.
+                              'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                              'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                              'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                request resource.
+                              Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                              Required.
+                            type: string
+                          name:
+                            description: |-
+                              Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                              as well as providing an identifier for logging purposes. A good name should be descriptive of
+                              the associated expression.
+                              Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                              must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                              '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                              optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                              Required.
+                            type: string
+                        required:
+                        - expression
+                        - name
+                        type: object
+                      type: array
+                    context:
+                      description: Context defines variables and data sources that
+                        can be used during rule execution.
+                      items:
+                        description: |-
+                          ContextEntry adds variables and data sources to a rule Context. Either a
+                          ConfigMap reference or a APILookup must be provided.
+                        properties:
+                          apiCall:
+                            description: |-
+                              APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                              The data returned is stored in the context with the name for the context entry.
+                            properties:
+                              data:
+                                description: |-
+                                  The data object specifies the POST data sent to the server.
+                                  Only applicable when the method field is set to POST.
+                                items:
+                                  description: RequestData contains the HTTP POST
+                                    data
+                                  properties:
+                                    key:
+                                      description: Key is a unique identifier for
+                                        the data value
+                                      type: string
+                                    value:
+                                      description: Value is the data value
+                                      x-kubernetes-preserve-unknown-fields: true
+                                  required:
+                                  - key
+                                  - value
+                                  type: object
+                                type: array
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              method:
+                                default: GET
+                                description: Method is the HTTP request type (GET
+                                  or POST). Defaults to GET.
+                                enum:
+                                - GET
+                                - POST
+                                type: string
+                              service:
+                                description: |-
+                                  Service is an API call to a JSON web service.
+                                  This is used for non-Kubernetes API server calls.
+                                  It's mutually exclusive with the URLPath field.
+                                properties:
+                                  caBundle:
+                                    description: |-
+                                      CABundle is a PEM encoded CA bundle which will be used to validate
+                                      the server certificate.
+                                    type: string
+                                  url:
+                                    description: |-
+                                      URL is the JSON web service URL. A typical form is
+                                      `https://{service}.{namespace}:{port}/{path}`.
+                                    type: string
+                                required:
+                                - url
+                                type: object
+                              urlPath:
+                                description: |-
+                                  URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                  Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                  The format required is the same format used by the `kubectl get --raw` command.
+                                  See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                  for details.
+                                  It's mutually exclusive with the Service field.
+                                type: string
+                            type: object
+                          configMap:
+                            description: ConfigMap is the ConfigMap reference.
+                            properties:
+                              name:
+                                description: Name is the ConfigMap name.
+                                type: string
+                              namespace:
+                                description: Namespace is the ConfigMap namespace.
+                                type: string
+                            required:
+                            - name
+                            type: object
+                          globalReference:
+                            description: GlobalContextEntryReference is a reference
+                              to a cached global context entry.
+                            properties:
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the JSON response returned from the server. For example
+                                  a JMESPath of "items | length(@)" applied to the API server response
+                                  for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                  of deployments across all namespaces.
+                                type: string
+                              name:
+                                description: Name of the global context entry
+                                type: string
+                            type: object
+                          imageRegistry:
+                            description: |-
+                              ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                              details.
+                            properties:
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JSON Match Expression that can be used to
+                                  transform the ImageData struct returned as a result of processing
+                                  the image reference.
+                                type: string
+                              reference:
+                                description: |-
+                                  Reference is image reference to a container image in the registry.
+                                  Example: ghcr.io/kyverno/kyverno:latest
+                                type: string
+                            required:
+                            - reference
+                            type: object
+                          name:
+                            description: Name is the variable name.
+                            type: string
+                          variable:
+                            description: Variable defines an arbitrary JMESPath context
+                              variable that can be defined inline.
+                            properties:
+                              default:
+                                description: |-
+                                  Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                  expression evaluates to nil
+                                x-kubernetes-preserve-unknown-fields: true
+                              jmesPath:
+                                description: |-
+                                  JMESPath is an optional JMESPath Expression that can be used to
+                                  transform the variable.
+                                type: string
+                              value:
+                                description: Value is any arbitrary JSON object representable
+                                  in YAML or JSON form.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                        type: object
+                      type: array
+                    exclude:
+                      description: |-
+                        ExcludeResources defines when this policy rule should not be applied. The exclude
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the name or role.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    generate:
+                      description: Generation is used to create new resources.
+                      properties:
+                        apiVersion:
+                          description: APIVersion specifies resource apiVersion.
+                          type: string
+                        clone:
+                          description: |-
+                            Clone specifies the source resource used to populate each generated resource.
+                            At most one of Data or Clone can be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          properties:
+                            name:
+                              description: Name specifies name of the resource.
+                              type: string
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                          type: object
+                        cloneList:
+                          description: CloneList specifies the list of source resource
+                            used to populate each generated resource.
+                          properties:
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            namespace:
+                              description: Namespace specifies source resource namespace.
+                              type: string
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels`.
+                                wildcard characters are not supported.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        data:
+                          description: |-
+                            Data provides the resource declaration used to populate each generated resource.
+                            At most one of Data or Clone must be specified. If neither are provided, the generated
+                            resource will be created with default data only.
+                          x-kubernetes-preserve-unknown-fields: true
+                        generateExisting:
+                          description: |-
+                            GenerateExisting controls whether to trigger the rule in existing resources
+                            If is set to "true" the rule will be triggered and applied to existing matched resources.
+                          type: boolean
+                        kind:
+                          description: Kind specifies resource kind.
+                          type: string
+                        name:
+                          description: Name specifies the resource name.
+                          type: string
+                        namespace:
+                          description: Namespace specifies resource namespace.
+                          type: string
+                        orphanDownstreamOnPolicyDelete:
+                          description: |-
+                            OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                            them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                            See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                            Defaults to "false" if not specified.
+                          type: boolean
+                        synchronize:
+                          description: |-
+                            Synchronize controls if generated resources should be kept in-sync with their source resource.
+                            If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                            data from Data or the resource specified in the Clone declaration.
+                            Optional. Defaults to "false" if not specified.
+                          type: boolean
+                        uid:
+                          description: UID specifies the resource uid.
+                          type: string
+                      type: object
+                    imageExtractors:
+                      additionalProperties:
+                        items:
+                          properties:
+                            jmesPath:
+                              description: |-
+                                JMESPath is an optional JMESPath expression to apply to the image value.
+                                This is useful when the extracted image begins with a prefix like 'docker://'.
+                                The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                              type: string
+                            key:
+                              description: |-
+                                Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                Note - this field MUST be unique.
+                              type: string
+                            name:
+                              description: |-
+                                Name is the entry the image will be available under 'images.' in the context.
+                                If this field is not defined, image entries will appear under 'images.custom'.
+                              type: string
+                            path:
+                              description: |-
+                                Path is the path to the object containing the image field in a custom resource.
+                                It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                Wildcard keys are expanded in case of arrays or objects.
+                              type: string
+                            value:
+                              description: |-
+                                Value is an optional name of the field within 'path' that points to the image URI.
+                                This is useful when a custom 'key' is also defined.
+                              type: string
+                          required:
+                          - path
+                          type: object
+                        type: array
+                      description: |-
+                        ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                        This config is only valid for verifyImages rules.
+                      type: object
+                    match:
+                      description: |-
+                        MatchResources defines when this policy rule should be applied. The match
+                        criteria can include resource information (e.g. kind, name, namespace, labels)
+                        and admission review request information like the user name or role.
+                        At least one kind is required.
+                      properties:
+                        all:
+                          description: All allows specifying resources which will
+                            be ANDed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                        any:
+                          description: Any allows specifying resources which will
+                            be ORed
+                          items:
+                            description: ResourceFilter allow users to "AND" or "OR"
+                              between resources
+                            properties:
+                              clusterRoles:
+                                description: ClusterRoles is the list of cluster-wide
+                                  role names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              resources:
+                                description: ResourceDescription contains information
+                                  about the resource being created or modified.
+                                properties:
+                                  annotations:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                      and values support the wildcard characters "*" (matches zero or many characters) and
+                                      "?" (matches at least one character).
+                                    type: object
+                                  kinds:
+                                    description: Kinds is a list of resource kinds.
+                                    items:
+                                      type: string
+                                    type: array
+                                  name:
+                                    description: |-
+                                      Name is the name of the resource. The name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                      NOTE: "Name" is being deprecated in favor of "Names".
+                                    type: string
+                                  names:
+                                    description: |-
+                                      Names are the names of the resources. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  namespaceSelector:
+                                    description: |-
+                                      NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                      in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                      and `?` (matches one character).Wildcards allows writing label selectors like
+                                      ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                      does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    description: |-
+                                      Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                      "*" (matches zero or many characters) and "?" (at least one character).
+                                    items:
+                                      type: string
+                                    type: array
+                                  operations:
+                                    description: Operations can contain values ["CREATE,
+                                      "UPDATE", "CONNECT", "DELETE"], which are used
+                                      to match a specific action.
+                                    items:
+                                      description: AdmissionOperation can have one
+                                        of the values CREATE, UPDATE, CONNECT, DELETE,
+                                        which are used to match a specific action.
+                                      enum:
+                                      - CREATE
+                                      - CONNECT
+                                      - UPDATE
+                                      - DELETE
+                                      type: string
+                                    type: array
+                                  selector:
+                                    description: |-
+                                      Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                      characters `*` (matches zero or many characters) and `?` (matches one character).
+                                      Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                      using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                type: object
+                              roles:
+                                description: Roles is the list of namespaced role
+                                  names for the user.
+                                items:
+                                  type: string
+                                type: array
+                              subjects:
+                                description: Subjects is the list of subject names
+                                  like users, user groups, and service accounts.
+                                items:
+                                  description: |-
+                                    Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                    or a value for non-objects such as user and group names.
+                                  properties:
+                                    apiGroup:
+                                      description: |-
+                                        APIGroup holds the API group of the referenced subject.
+                                        Defaults to "" for ServiceAccount subjects.
+                                        Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                        If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                      type: string
+                                    name:
+                                      description: Name of the object being referenced.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                        the Authorizer should report an error.
+                                      type: string
+                                  required:
+                                  - kind
+                                  - name
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    mutate:
+                      description: Mutation is used to modify matching resources.
+                      properties:
+                        foreach:
+                          description: ForEach applies mutation rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachMutation applies mutation rules to
+                              a list of sub-elements by creating a context for each
+                              entry in the list and looping over it to apply the specified
+                              logic.
+                            properties:
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              order:
+                                description: |-
+                                  Order defines the iteration order on the list.
+                                  Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                enum:
+                                - Ascending
+                                - Descending
+                                type: string
+                              patchStrategicMerge:
+                                description: |-
+                                  PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                  See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                x-kubernetes-preserve-unknown-fields: true
+                              patchesJson6902:
+                                description: |-
+                                  PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        mutateExistingOnPolicyUpdate:
+                          description: MutateExistingOnPolicyUpdate controls if the
+                            mutateExisting rule will be applied on policy events.
+                          type: boolean
+                        patchStrategicMerge:
+                          description: |-
+                            PatchStrategicMerge is a strategic merge patch used to modify resources.
+                            See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                          x-kubernetes-preserve-unknown-fields: true
+                        patchesJson6902:
+                          description: |-
+                            PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                            See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                          type: string
+                        targets:
+                          description: Targets defines the target resources to be
+                            mutated.
+                          items:
+                            description: TargetResourceSpec defines targets for mutating
+                              existing resources.
+                            properties:
+                              apiVersion:
+                                description: APIVersion specifies resource apiVersion.
+                                type: string
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              kind:
+                                description: Kind specifies resource kind.
+                                type: string
+                              name:
+                                description: Name specifies the resource name.
+                                type: string
+                              namespace:
+                                description: Namespace specifies resource namespace.
+                                type: string
+                              preconditions:
+                                description: |-
+                                  Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                  of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                  will be deprecated in the next major release.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                x-kubernetes-preserve-unknown-fields: true
+                              uid:
+                                description: UID specifies the resource uid.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    name:
+                      description: Name is a label to identify the rule, It must be
+                        unique within the policy.
+                      maxLength: 63
+                      type: string
+                    preconditions:
+                      description: |-
+                        Preconditions are used to determine if a policy rule should be applied by evaluating a
+                        set of conditions. The declaration can contain nested `any` or `all` statements.
+                        See: https://kyverno.io/docs/writing-policies/preconditions/
+                      properties:
+                        all:
+                          description: |-
+                            AllConditions enable variable-based conditional rule execution. This is useful for
+                            finer control of when an rule is applied. A condition can reference object data
+                            using JMESPath notation.
+                            Here, all of the conditions need to pass.
+                          items:
+                            properties:
+                              key:
+                                description: Key is the context entry (using JMESPath)
+                                  for conditional rule evaluation.
+                                x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
+                              operator:
+                                description: |-
+                                  Operator is the conditional operation to perform. Valid operators are:
+                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                  DurationLessThanOrEquals, DurationLessThan
+                                enum:
+                                - Equals
+                                - NotEquals
+                                - AnyIn
+                                - AllIn
+                                - AnyNotIn
+                                - AllNotIn
+                                - GreaterThanOrEquals
+                                - GreaterThan
+                                - LessThanOrEquals
+                                - LessThan
+                                - DurationGreaterThanOrEquals
+                                - DurationGreaterThan
+                                - DurationLessThanOrEquals
+                                - DurationLessThan
+                                type: string
+                              value:
+                                description: |-
+                                  Value is the conditional value, or set of values. The values can be fixed set
+                                  or can be variables declared using JMESPath.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        any:
+                          description: |-
+                            AnyConditions enable variable-based conditional rule execution. This is useful for
+                            finer control of when an rule is applied. A condition can reference object data
+                            using JMESPath notation.
+                            Here, at least one of the conditions need to pass.
+                          items:
+                            properties:
+                              key:
+                                description: Key is the context entry (using JMESPath)
+                                  for conditional rule evaluation.
+                                x-kubernetes-preserve-unknown-fields: true
+                              message:
+                                description: Message is an optional display message
+                                type: string
+                              operator:
+                                description: |-
+                                  Operator is the conditional operation to perform. Valid operators are:
+                                  Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                  DurationLessThanOrEquals, DurationLessThan
+                                enum:
+                                - Equals
+                                - NotEquals
+                                - AnyIn
+                                - AllIn
+                                - AnyNotIn
+                                - AllNotIn
+                                - GreaterThanOrEquals
+                                - GreaterThan
+                                - LessThanOrEquals
+                                - LessThan
+                                - DurationGreaterThanOrEquals
+                                - DurationGreaterThan
+                                - DurationLessThanOrEquals
+                                - DurationLessThan
+                                type: string
+                              value:
+                                description: |-
+                                  Value is the conditional value, or set of values. The values can be fixed set
+                                  or can be variables declared using JMESPath.
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                      type: object
+                    skipBackgroundRequests:
+                      default: true
+                      description: |-
+                        SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                        The default value is set to "true", it must be set to "false" to apply
+                        generate and mutateExisting rules to those requests.
+                      type: boolean
+                    validate:
+                      description: Validation is used to validate matching resources.
+                      properties:
+                        anyPattern:
+                          description: |-
+                            AnyPattern specifies list of validation patterns. At least one of the patterns
+                            must be satisfied for the validation rule to succeed.
+                          x-kubernetes-preserve-unknown-fields: true
+                        assert:
+                          description: Assert defines a kyverno-json assertion tree.
+                          type: object
+                          x-kubernetes-preserve-unknown-fields: true
+                        cel:
+                          description: CEL allows validation checks using the Common
+                            Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                          properties:
+                            auditAnnotations:
+                              description: AuditAnnotations contains CEL expressions
+                                which are used to produce audit annotations for the
+                                audit event of the API request.
+                              items:
+                                description: AuditAnnotation describes how to produce
+                                  an audit annotation for an API request.
+                                properties:
+                                  key:
+                                    description: |-
+                                      key specifies the audit annotation key. The audit annotation keys of
+                                      a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                      name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                      The key is combined with the resource name of the
+                                      ValidatingAdmissionPolicy to construct an audit annotation key:
+                                      "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                      If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                      and the same audit annotation key, the annotation key will be identical.
+                                      In this case, the first annotation written with the key will be included
+                                      in the audit event and all subsequent annotations with the same key
+                                      will be discarded.
+
+
+                                      Required.
+                                    type: string
+                                  valueExpression:
+                                    description: |-
+                                      valueExpression represents the expression which is evaluated by CEL to
+                                      produce an audit annotation value. The expression must evaluate to either
+                                      a string or null value. If the expression evaluates to a string, the
+                                      audit annotation is included with the string value. If the expression
+                                      evaluates to null or empty string the audit annotation will be omitted.
+                                      The valueExpression may be no longer than 5kb in length.
+                                      If the result of the valueExpression is more than 10kb in length, it
+                                      will be truncated to 10kb.
+
+
+                                      If multiple ValidatingAdmissionPolicyBinding resources match an
+                                      API request, then the valueExpression will be evaluated for
+                                      each binding. All unique values produced by the valueExpressions
+                                      will be joined together in a comma-separated list.
+
+
+                                      Required.
+                                    type: string
+                                required:
+                                - key
+                                - valueExpression
+                                type: object
+                              type: array
+                            expressions:
+                              description: Expressions is a list of CELExpression
+                                types.
+                              items:
+                                description: Validation specifies the CEL expression
+                                  which is used to apply the validation.
+                                properties:
+                                  expression:
+                                    description: "Expression represents the expression
+                                      which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                      expressions have access to the contents of the
+                                      API request/response, organized into CEL variables
+                                      as well as some other useful variables:\n\n\n-
+                                      'object' - The object from the incoming request.
+                                      The value is null for DELETE requests.\n- 'oldObject'
+                                      - The existing object. The value is null for
+                                      CREATE requests.\n- 'request' - Attributes of
+                                      the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                      'params' - Parameter resource referred to by
+                                      the policy binding being evaluated. Only populated
+                                      if the policy has a ParamKind.\n- 'namespaceObject'
+                                      - The namespace object that the incoming object
+                                      belongs to. The value is null for cluster-scoped
+                                      resources.\n- 'variables' - Map of composited
+                                      variables, from its name to its lazily evaluated
+                                      value.\n  For example, a variable named 'foo'
+                                      can be accessed as 'variables.foo'.\n- 'authorizer'
+                                      - A CEL Authorizer. May be used to perform authorization
+                                      checks for the principal (user or service account)
+                                      of the request.\n  See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                      'authorizer.requestResource' - A CEL ResourceCheck
+                                      constructed from the 'authorizer' and configured
+                                      with the\n  request resource.\n\n\nThe `apiVersion`,
+                                      `kind`, `metadata.name` and `metadata.generateName`
+                                      are always accessible from the root of the\nobject.
+                                      No other metadata properties are accessible.\n\n\nOnly
+                                      property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                      are accessible.\nAccessible property names are
+                                      escaped according to the following rules when
+                                      accessed in the expression:\n- '__' escapes
+                                      to '__underscores__'\n- '.' escapes to '__dot__'\n-
+                                      '-' escapes to '__dash__'\n- '/' escapes to
+                                      '__slash__'\n- Property names that exactly match
+                                      a CEL RESERVED keyword escape to '__{keyword}__'.
+                                      The keywords are:\n\t  \"true\", \"false\",
+                                      \"null\", \"in\", \"as\", \"break\", \"const\",
+                                      \"continue\", \"else\", \"for\", \"function\",
+                                      \"if\",\n\t  \"import\", \"let\", \"loop\",
+                                      \"package\", \"namespace\", \"return\".\nExamples:\n
+                                      \ - Expression accessing a property named \"namespace\":
+                                      {\"Expression\": \"object.__namespace__ > 0\"}\n
+                                      \ - Expression accessing a property named \"x-prop\":
+                                      {\"Expression\": \"object.x__dash__prop > 0\"}\n
+                                      \ - Expression accessing a property named \"redact__d\":
+                                      {\"Expression\": \"object.redact__underscores__d
+                                      > 0\"}\n\n\nEquality on arrays with list type
+                                      of 'set' or 'map' ignores element order, i.e.
+                                      [1, 2] == [2, 1].\nConcatenation on arrays with
+                                      x-kubernetes-list-type use the semantics of
+                                      the list type:\n  - 'set': `X + Y` performs
+                                      a union where the array positions of all elements
+                                      in `X` are preserved and\n    non-intersecting
+                                      elements in `Y` are appended, retaining their
+                                      partial order.\n  - 'map': `X + Y` performs
+                                      a merge where the array positions of all keys
+                                      in `X` are preserved but the values\n    are
+                                      overwritten by values in `Y` when the key sets
+                                      of `X` and `Y` intersect. Elements in `Y` with\n
+                                      \   non-intersecting keys are appended, retaining
+                                      their partial order.\nRequired."
+                                    type: string
+                                  message:
+                                    description: |-
+                                      Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                      line breaks. The message must not contain line breaks.
+                                      If unset, the message is "failed rule: {Rule}".
+                                      e.g. "must be a URL with the host matching spec.host"
+                                      If the Expression contains line breaks. Message is required.
+                                      The message must not contain line breaks.
+                                      If unset, the message is "failed Expression: {Expression}".
+                                    type: string
+                                  messageExpression:
+                                    description: |-
+                                      messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                      Since messageExpression is used as a failure message, it must evaluate to a string.
+                                      If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                      If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                      as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                      that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                      the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                      messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                      Example:
+                                      "object.x must be less than max ("+string(params.max)+")"
+                                    type: string
+                                  reason:
+                                    description: |-
+                                      Reason represents a machine-readable description of why this validation failed.
+                                      If this is the first validation in the list to fail, this reason, as well as the
+                                      corresponding HTTP response code, are used in the
+                                      HTTP response to the client.
+                                      The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                      If not set, StatusReasonInvalid is used in the response to the client.
+                                    type: string
+                                required:
+                                - expression
+                                type: object
+                              type: array
+                            paramKind:
+                              description: ParamKind is a tuple of Group Kind and
+                                Version.
+                              properties:
+                                apiVersion:
+                                  description: |-
+                                    APIVersion is the API group version the resources belong to.
+                                    In format of "group/version".
+                                    Required.
+                                  type: string
+                                kind:
+                                  description: |-
+                                    Kind is the API kind the resources belong to.
+                                    Required.
+                                  type: string
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            paramRef:
+                              description: ParamRef references a parameter resource.
+                              properties:
+                                name:
+                                  description: |-
+                                    `name` is the name of the resource being referenced.
+
+
+                                    `name` and `selector` are mutually exclusive properties. If one is set,
+                                    the other must be unset.
+                                  type: string
+                                namespace:
+                                  description: |-
+                                    namespace is the namespace of the referenced resource. Allows limiting
+                                    the search for params to a specific namespace. Applies to both `name` and
+                                    `selector` fields.
+
+
+                                    A per-namespace parameter may be used by specifying a namespace-scoped
+                                    `paramKind` in the policy and leaving this field empty.
+
+
+                                    - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                    field results in a configuration error.
+
+
+                                    - If `paramKind` is namespace-scoped, the namespace of the object being
+                                    evaluated for admission will be used when this field is left unset. Take
+                                    care that if this is left empty the binding must not match any cluster-scoped
+                                    resources, which will result in an error.
+                                  type: string
+                                parameterNotFoundAction:
+                                  description: |-
+                                    `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                    exists, and name or selector is valid, but there are no parameters
+                                    matched by the binding. If the value is set to `Allow`, then no
+                                    matched parameters will be treated as successful validation by the binding.
+                                    If set to `Deny`, then no matched parameters will be subject to the
+                                    `failurePolicy` of the policy.
+
+
+                                    Allowed values are `Allow` or `Deny`
+                                    Default to `Deny`
+                                  type: string
+                                selector:
+                                  description: |-
+                                    selector can be used to match multiple param objects based on their labels.
+                                    Supply selector: {} to match all resources of the ParamKind.
+
+
+                                    If multiple params are found, they are all evaluated with the policy expressions
+                                    and the results are ANDed together.
+
+
+                                    One of `name` or `selector` must be set, but `name` and `selector` are
+                                    mutually exclusive properties. If one is set, the other must be unset.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            variables:
+                              description: |-
+                                Variables contain definitions of variables that can be used in composition of other expressions.
+                                Each variable is defined as a named CEL expression.
+                                The variables defined here will be available under `variables` in other expressions of the policy.
+                              items:
+                                description: Variable is the definition of a variable
+                                  that is used for composition.
+                                properties:
+                                  expression:
+                                    description: |-
+                                      Expression is the expression that will be evaluated as the value of the variable.
+                                      The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                    type: string
+                                  name:
+                                    description: |-
+                                      Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                      The variable can be accessed in other expressions through `variables`
+                                      For example, if name is "foo", the variable will be available as `variables.foo`
+                                    type: string
+                                required:
+                                - expression
+                                - name
+                                type: object
+                              type: array
+                          type: object
+                        deny:
+                          description: Deny defines conditions used to pass or fail
+                            a validation rule.
+                          properties:
+                            conditions:
+                              description: |-
+                                Multiple conditions can be declared under an `any` or `all` statement.
+                                See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                              properties:
+                                all:
+                                  description: |-
+                                    AllConditions enable variable-based conditional rule execution. This is useful for
+                                    finer control of when an rule is applied. A condition can reference object data
+                                    using JMESPath notation.
+                                    Here, all of the conditions need to pass.
+                                  items:
+                                    properties:
+                                      key:
+                                        description: Key is the context entry (using
+                                          JMESPath) for conditional rule evaluation.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          Operator is the conditional operation to perform. Valid operators are:
+                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                          DurationLessThanOrEquals, DurationLessThan
+                                        enum:
+                                        - Equals
+                                        - NotEquals
+                                        - AnyIn
+                                        - AllIn
+                                        - AnyNotIn
+                                        - AllNotIn
+                                        - GreaterThanOrEquals
+                                        - GreaterThan
+                                        - LessThanOrEquals
+                                        - LessThan
+                                        - DurationGreaterThanOrEquals
+                                        - DurationGreaterThan
+                                        - DurationLessThanOrEquals
+                                        - DurationLessThan
+                                        type: string
+                                      value:
+                                        description: |-
+                                          Value is the conditional value, or set of values. The values can be fixed set
+                                          or can be variables declared using JMESPath.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  type: array
+                                any:
+                                  description: |-
+                                    AnyConditions enable variable-based conditional rule execution. This is useful for
+                                    finer control of when an rule is applied. A condition can reference object data
+                                    using JMESPath notation.
+                                    Here, at least one of the conditions need to pass.
+                                  items:
+                                    properties:
+                                      key:
+                                        description: Key is the context entry (using
+                                          JMESPath) for conditional rule evaluation.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      message:
+                                        description: Message is an optional display
+                                          message
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          Operator is the conditional operation to perform. Valid operators are:
+                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                          GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                          DurationLessThanOrEquals, DurationLessThan
+                                        enum:
+                                        - Equals
+                                        - NotEquals
+                                        - AnyIn
+                                        - AllIn
+                                        - AnyNotIn
+                                        - AllNotIn
+                                        - GreaterThanOrEquals
+                                        - GreaterThan
+                                        - LessThanOrEquals
+                                        - LessThan
+                                        - DurationGreaterThanOrEquals
+                                        - DurationGreaterThan
+                                        - DurationLessThanOrEquals
+                                        - DurationLessThan
+                                        type: string
+                                      value:
+                                        description: |-
+                                          Value is the conditional value, or set of values. The values can be fixed set
+                                          or can be variables declared using JMESPath.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  type: array
+                              type: object
+                          type: object
+                        foreach:
+                          description: ForEach applies validate rules to a list of
+                            sub-elements by creating a context for each entry in the
+                            list and looping over it to apply the specified logic.
+                          items:
+                            description: ForEachValidation applies validate rules
+                              to a list of sub-elements by creating a context for
+                              each entry in the list and looping over it to apply
+                              the specified logic.
+                            properties:
+                              anyPattern:
+                                description: |-
+                                  AnyPattern specifies list of validation patterns. At least one of the patterns
+                                  must be satisfied for the validation rule to succeed.
+                                x-kubernetes-preserve-unknown-fields: true
+                              context:
+                                description: Context defines variables and data sources
+                                  that can be used during rule execution.
+                                items:
+                                  description: |-
+                                    ContextEntry adds variables and data sources to a rule Context. Either a
+                                    ConfigMap reference or a APILookup must be provided.
+                                  properties:
+                                    apiCall:
+                                      description: |-
+                                        APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                        The data returned is stored in the context with the name for the context entry.
+                                      properties:
+                                        data:
+                                          description: |-
+                                            The data object specifies the POST data sent to the server.
+                                            Only applicable when the method field is set to POST.
+                                          items:
+                                            description: RequestData contains the
+                                              HTTP POST data
+                                            properties:
+                                              key:
+                                                description: Key is a unique identifier
+                                                  for the data value
+                                                type: string
+                                              value:
+                                                description: Value is the data value
+                                                x-kubernetes-preserve-unknown-fields: true
+                                            required:
+                                            - key
+                                            - value
+                                            type: object
+                                          type: array
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        method:
+                                          default: GET
+                                          description: Method is the HTTP request
+                                            type (GET or POST). Defaults to GET.
+                                          enum:
+                                          - GET
+                                          - POST
+                                          type: string
+                                        service:
+                                          description: |-
+                                            Service is an API call to a JSON web service.
+                                            This is used for non-Kubernetes API server calls.
+                                            It's mutually exclusive with the URLPath field.
+                                          properties:
+                                            caBundle:
+                                              description: |-
+                                                CABundle is a PEM encoded CA bundle which will be used to validate
+                                                the server certificate.
+                                              type: string
+                                            url:
+                                              description: |-
+                                                URL is the JSON web service URL. A typical form is
+                                                `https://{service}.{namespace}:{port}/{path}`.
+                                              type: string
+                                          required:
+                                          - url
+                                          type: object
+                                        urlPath:
+                                          description: |-
+                                            URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                            Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                            The format required is the same format used by the `kubectl get --raw` command.
+                                            See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                            for details.
+                                            It's mutually exclusive with the Service field.
+                                          type: string
+                                      type: object
+                                    configMap:
+                                      description: ConfigMap is the ConfigMap reference.
+                                      properties:
+                                        name:
+                                          description: Name is the ConfigMap name.
+                                          type: string
+                                        namespace:
+                                          description: Namespace is the ConfigMap
+                                            namespace.
+                                          type: string
+                                      required:
+                                      - name
+                                      type: object
+                                    globalReference:
+                                      description: GlobalContextEntryReference is
+                                        a reference to a cached global context entry.
+                                      properties:
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the JSON response returned from the server. For example
+                                            a JMESPath of "items | length(@)" applied to the API server response
+                                            for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                            of deployments across all namespaces.
+                                          type: string
+                                        name:
+                                          description: Name of the global context
+                                            entry
+                                          type: string
+                                      type: object
+                                    imageRegistry:
+                                      description: |-
+                                        ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                        details.
+                                      properties:
+                                        imageRegistryCredentials:
+                                          description: ImageRegistryCredentials provides
+                                            credentials that will be used for authentication
+                                            with registry
+                                          properties:
+                                            allowInsecureRegistry:
+                                              description: AllowInsecureRegistry allows
+                                                insecure access to a registry.
+                                              type: boolean
+                                            providers:
+                                              description: |-
+                                                Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                It can be of one of these values: default,google,azure,amazon,github.
+                                              items:
+                                                description: ImageRegistryCredentialsProvidersType
+                                                  provides the list of credential
+                                                  providers required.
+                                                enum:
+                                                - default
+                                                - amazon
+                                                - azure
+                                                - google
+                                                - github
+                                                type: string
+                                              type: array
+                                            secrets:
+                                              description: |-
+                                                Secrets specifies a list of secrets that are provided for credentials.
+                                                Secrets must live in the Kyverno namespace.
+                                              items:
+                                                type: string
+                                              type: array
+                                          type: object
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JSON Match Expression that can be used to
+                                            transform the ImageData struct returned as a result of processing
+                                            the image reference.
+                                          type: string
+                                        reference:
+                                          description: |-
+                                            Reference is image reference to a container image in the registry.
+                                            Example: ghcr.io/kyverno/kyverno:latest
+                                          type: string
+                                      required:
+                                      - reference
+                                      type: object
+                                    name:
+                                      description: Name is the variable name.
+                                      type: string
+                                    variable:
+                                      description: Variable defines an arbitrary JMESPath
+                                        context variable that can be defined inline.
+                                      properties:
+                                        default:
+                                          description: |-
+                                            Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                            expression evaluates to nil
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        jmesPath:
+                                          description: |-
+                                            JMESPath is an optional JMESPath Expression that can be used to
+                                            transform the variable.
+                                          type: string
+                                        value:
+                                          description: Value is any arbitrary JSON
+                                            object representable in YAML or JSON form.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                  type: object
+                                type: array
+                              deny:
+                                description: Deny defines conditions used to pass
+                                  or fail a validation rule.
+                                properties:
+                                  conditions:
+                                    description: |-
+                                      Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                      of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                      but will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              elementScope:
+                                description: |-
+                                  ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                  When set to "false", "request.object" is used as the validation scope within the foreach
+                                  block to allow referencing other elements in the subtree.
+                                type: boolean
+                              foreach:
+                                description: Foreach declares a nested foreach iterator
+                                x-kubernetes-preserve-unknown-fields: true
+                              list:
+                                description: |-
+                                  List specifies a JMESPath expression that results in one or more elements
+                                  to which the validation logic is applied.
+                                type: string
+                              pattern:
+                                description: Pattern specifies an overlay-style pattern
+                                  used to check resources.
+                                x-kubernetes-preserve-unknown-fields: true
+                              preconditions:
+                                description: |-
+                                  AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                                  See: https://kyverno.io/docs/writing-policies/preconditions/
+                                properties:
+                                  all:
+                                    description: |-
+                                      AllConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, all of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                  any:
+                                    description: |-
+                                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                                      finer control of when an rule is applied. A condition can reference object data
+                                      using JMESPath notation.
+                                      Here, at least one of the conditions need to pass
+                                    items:
+                                      description: Condition defines variable-based
+                                        conditional criteria for rule execution.
+                                      properties:
+                                        key:
+                                          description: Key is the context entry (using
+                                            JMESPath) for conditional rule evaluation.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        message:
+                                          description: Message is an optional display
+                                            message
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            Operator is the conditional operation to perform. Valid operators are:
+                                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                            DurationLessThanOrEquals, DurationLessThan
+                                          enum:
+                                          - Equals
+                                          - NotEquals
+                                          - In
+                                          - AnyIn
+                                          - AllIn
+                                          - NotIn
+                                          - AnyNotIn
+                                          - AllNotIn
+                                          - GreaterThanOrEquals
+                                          - GreaterThan
+                                          - LessThanOrEquals
+                                          - LessThan
+                                          - DurationGreaterThanOrEquals
+                                          - DurationGreaterThan
+                                          - DurationLessThanOrEquals
+                                          - DurationLessThan
+                                          type: string
+                                        value:
+                                          description: |-
+                                            Value is the conditional value, or set of values. The values can be fixed set
+                                            or can be variables declared using JMESPath.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      type: object
+                                    type: array
+                                type: object
+                                x-kubernetes-preserve-unknown-fields: true
+                            type: object
+                          type: array
+                        manifests:
+                          description: Manifest specifies conditions for manifest
+                            verification
+                          properties:
+                            annotationDomain:
+                              description: AnnotationDomain is custom domain of annotation
+                                for message and signature. Default is "cosign.sigstore.dev".
+                              type: string
+                            attestors:
+                              description: Attestors specified the required attestors
+                                (i.e. authorities)
+                              items:
+                                properties:
+                                  count:
+                                    description: |-
+                                      Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                      (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                      value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                    minimum: 1
+                                    type: integer
+                                  entries:
+                                    description: |-
+                                      Entries contains the available attestors. An attestor can be a static key,
+                                      attributes for keyless verification, or a nested attestor declaration.
+                                    items:
+                                      properties:
+                                        annotations:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            Annotations are used for image verification.
+                                            Every specified key-value pair must exist and match in the verified payload.
+                                            The payload may contain other key-value pairs.
+                                          type: object
+                                        attestor:
+                                          description: Attestor is a nested set of
+                                            Attestor used to specify a more complex
+                                            set of match authorities.
+                                          x-kubernetes-preserve-unknown-fields: true
+                                        certificates:
+                                          description: Certificates specifies one
+                                            or more certificates.
+                                          properties:
+                                            cert:
+                                              description: Cert is an optional PEM-encoded
+                                                public certificate.
+                                              type: string
+                                            certChain:
+                                              description: CertChain is an optional
+                                                PEM encoded set of certificates used
+                                                to verify.
+                                              type: string
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                          type: object
+                                        keyless:
+                                          description: |-
+                                            Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                          properties:
+                                            additionalExtensions:
+                                              additionalProperties:
+                                                type: string
+                                              description: AdditionalExtensions are
+                                                certificate-extensions used for keyless
+                                                signing.
+                                              type: object
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            issuer:
+                                              description: Issuer is the certificate
+                                                issuer used for keyless signing.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            roots:
+                                              description: |-
+                                                Roots is an optional set of PEM encoded trusted root certificates.
+                                                If not provided, the system roots are used.
+                                              type: string
+                                            subject:
+                                              description: Subject is the verified
+                                                identity used for keyless signing,
+                                                for example the email address.
+                                              type: string
+                                          type: object
+                                        keys:
+                                          description: Keys specifies one or more
+                                            public keys.
+                                          properties:
+                                            ctlog:
+                                              description: |-
+                                                CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                              properties:
+                                                ignoreSCT:
+                                                  description: |-
+                                                    IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                    timestamp. Default is false. Set to true if this was opted out during signing.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: PubKey, if set, is
+                                                    used to validate SCTs against
+                                                    a custom source.
+                                                  type: string
+                                                tsaCertChain:
+                                                  description: |-
+                                                    TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                    contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                    may contain the leaf TSA certificate if not present in the timestamurce.
+                                                  type: string
+                                              type: object
+                                            kms:
+                                              description: |-
+                                                KMS provides the URI to the public key stored in a Key Management System. See:
+                                                https://github.com/sigstore/cosign/blob/main/KMS.md
+                                              type: string
+                                            publicKeys:
+                                              description: |-
+                                                Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                When multiple keys are specified each key is processed as a separate staticKey entry
+                                                (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                              type: string
+                                            rekor:
+                                              description: |-
+                                                Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                              properties:
+                                                ignoreTlog:
+                                                  description: IgnoreTlog skips transparency
+                                                    log verification.
+                                                  type: boolean
+                                                pubkey:
+                                                  description: |-
+                                                    RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                    If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                  type: string
+                                                url:
+                                                  description: URL is the address
+                                                    of the transparency log. Defaults
+                                                    to the public Rekor log instance
+                                                    https://rekor.sigstore.dev.
+                                                  type: string
+                                              type: object
+                                            secret:
+                                              description: Reference to a Secret resource
+                                                that contains a public key
+                                              properties:
+                                                name:
+                                                  description: Name of the secret.
+                                                    The provided secret must contain
+                                                    a key named cosign.pub.
+                                                  type: string
+                                                namespace:
+                                                  description: Namespace name where
+                                                    the Secret exists.
+                                                  type: string
+                                              required:
+                                              - name
+                                              - namespace
+                                              type: object
+                                            signatureAlgorithm:
+                                              default: sha256
+                                              description: Specify signature algorithm
+                                                for public keys. Supported values
+                                                are sha224, sha256, sha384 and sha512.
+                                              type: string
+                                          type: object
+                                        repository:
+                                          description: |-
+                                            Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                            If specified Repository will override other OCI image repository locations for this Attestor.
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            dryRun:
+                              description: DryRun configuration
+                              properties:
+                                enable:
+                                  type: boolean
+                                namespace:
+                                  type: string
+                              type: object
+                            ignoreFields:
+                              description: Fields which will be ignored while comparing
+                                manifests.
+                              items:
+                                properties:
+                                  fields:
+                                    items:
+                                      type: string
+                                    type: array
+                                  objects:
+                                    items:
+                                      properties:
+                                        group:
+                                          type: string
+                                        kind:
+                                          type: string
+                                        name:
+                                          type: string
+                                        namespace:
+                                          type: string
+                                        version:
+                                          type: string
+                                      type: object
+                                    type: array
+                                type: object
+                              type: array
+                            repository:
+                              description: |-
+                                Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                The repository can be overridden per Attestor or Attestation.
+                              type: string
+                          type: object
+                        message:
+                          description: Message specifies a custom message to be displayed
+                            on failure.
+                          type: string
+                        pattern:
+                          description: Pattern specifies an overlay-style pattern
+                            used to check resources.
+                          x-kubernetes-preserve-unknown-fields: true
+                        podSecurity:
+                          description: |-
+                            PodSecurity applies exemptions for Kubernetes Pod Security admission
+                            by specifying exclusions for Pod Security Standards controls.
+                          properties:
+                            exclude:
+                              description: Exclude specifies the Pod Security Standard
+                                controls to be excluded.
+                              items:
+                                description: PodSecurityStandard specifies the Pod
+                                  Security Standard controls to be excluded.
+                                properties:
+                                  controlName:
+                                    description: |-
+                                      ControlName specifies the name of the Pod Security Standard control.
+                                      See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                    enum:
+                                    - HostProcess
+                                    - Host Namespaces
+                                    - Privileged Containers
+                                    - Capabilities
+                                    - HostPath Volumes
+                                    - Host Ports
+                                    - AppArmor
+                                    - SELinux
+                                    - /proc Mount Type
+                                    - Seccomp
+                                    - Sysctls
+                                    - Volume Types
+                                    - Privilege Escalation
+                                    - Running as Non-root
+                                    - Running as Non-root user
+                                    type: string
+                                  images:
+                                    description: |-
+                                      Images selects matching containers and applies the container level PSS.
+                                      Each image is the image name consisting of the registry address, repository, image, and tag.
+                                      Empty list matches no containers, PSS checks are applied at the pod level only.
+                                      Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                    items:
+                                      type: string
+                                    type: array
+                                  restrictedField:
+                                    description: |-
+                                      RestrictedField selects the field for the given Pod Security Standard control.
+                                      When not set, all restricted fields for the control are selected.
+                                    type: string
+                                  values:
+                                    description: Values defines the allowed values
+                                      that can be excluded.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - controlName
+                                type: object
+                              type: array
+                            level:
+                              description: |-
+                                Level defines the Pod Security Standard level to be applied to workloads.
+                                Allowed values are privileged, baseline, and restricted.
+                              enum:
+                              - privileged
+                              - baseline
+                              - restricted
+                              type: string
+                            version:
+                              description: |-
+                                Version defines the Pod Security Standard versions that Kubernetes supports.
+                                Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                              enum:
+                              - v1.19
+                              - v1.20
+                              - v1.21
+                              - v1.22
+                              - v1.23
+                              - v1.24
+                              - v1.25
+                              - v1.26
+                              - v1.27
+                              - v1.28
+                              - v1.29
+                              - latest
+                              type: string
+                          type: object
+                        validationFailureAction:
+                          description: |-
+                            ValidationFailureAction defines if a validation policy rule violation should block
+                            the admission review request (Enforce), or allow (Audit) the admission review request
+                            and report an error in a policy report. Optional.
+                            Allowed values are Audit or Enforce.
+                          enum:
+                          - Audit
+                          - Enforce
+                          type: string
+                        validationFailureActionOverrides:
+                          description: |-
+                            ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                            namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                          items:
+                            properties:
+                              action:
+                                description: ValidationFailureAction defines the policy
+                                  validation failure action
+                                enum:
+                                - audit
+                                - enforce
+                                - Audit
+                                - Enforce
+                                type: string
+                              namespaceSelector:
+                                description: |-
+                                  A label selector is a label query over a set of resources. The result of matchLabels and
+                                  matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                  label selector matches no objects.
+                                properties:
+                                  matchExpressions:
+                                    description: matchExpressions is a list of label
+                                      selector requirements. The requirements are
+                                      ANDed.
+                                    items:
+                                      description: |-
+                                        A label selector requirement is a selector that contains values, a key, and an operator that
+                                        relates the key and values.
+                                      properties:
+                                        key:
+                                          description: key is the label key that the
+                                            selector applies to.
+                                          type: string
+                                        operator:
+                                          description: |-
+                                            operator represents a key's relationship to a set of values.
+                                            Valid operators are In, NotIn, Exists and DoesNotExist.
+                                          type: string
+                                        values:
+                                          description: |-
+                                            values is an array of string values. If the operator is In or NotIn,
+                                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                            the values array must be empty. This array is replaced during a strategic
+                                            merge patch.
+                                          items:
+                                            type: string
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                      required:
+                                      - key
+                                      - operator
+                                      type: object
+                                    type: array
+                                    x-kubernetes-list-type: atomic
+                                  matchLabels:
+                                    additionalProperties:
+                                      type: string
+                                    description: |-
+                                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                      map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                      operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                    type: object
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              namespaces:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    verifyImages:
+                      description: VerifyImages is used to verify image signatures
+                        and mutate them to add a digest
+                      items:
+                        description: |-
+                          ImageVerification validates that images that match the specified pattern
+                          are signed with the supplied public key. Once the image is verified it is
+                          mutated to include the SHA digest retrieved during the registration.
+                        properties:
+                          attestations:
+                            description: |-
+                              Attestations are optional checks for signed in-toto Statements used to verify the image.
+                              See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                              OCI registry and decodes them into a list of Statement declarations.
+                            items:
+                              description: |-
+                                Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                OCI registry and decodes them into a list of Statements.
+                              properties:
+                                attestors:
+                                  description: Attestors specify the required attestors
+                                    (i.e. authorities).
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                conditions:
+                                  description: |-
+                                    Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                    the attestation check is satisfied as long there are predicates that match the predicate type.
+                                  items:
+                                    description: |-
+                                      AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                      AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                      AllConditions get fulfilled only when all of its sub-conditions pass.
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                predicateType:
+                                  description: Deprecated in favour of 'Type', to
+                                    be removed soon
+                                  type: string
+                                type:
+                                  description: Type defines the type of attestation
+                                    contained within the Statement.
+                                  type: string
+                              type: object
+                            type: array
+                          attestors:
+                            description: Attestors specified the required attestors
+                              (i.e. authorities)
+                            items:
+                              properties:
+                                count:
+                                  description: |-
+                                    Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                    (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                    value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                  minimum: 1
+                                  type: integer
+                                entries:
+                                  description: |-
+                                    Entries contains the available attestors. An attestor can be a static key,
+                                    attributes for keyless verification, or a nested attestor declaration.
+                                  items:
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations are used for image verification.
+                                          Every specified key-value pair must exist and match in the verified payload.
+                                          The payload may contain other key-value pairs.
+                                        type: object
+                                      attestor:
+                                        description: Attestor is a nested set of Attestor
+                                          used to specify a more complex set of match
+                                          authorities.
+                                        x-kubernetes-preserve-unknown-fields: true
+                                      certificates:
+                                        description: Certificates specifies one or
+                                          more certificates.
+                                        properties:
+                                          cert:
+                                            description: Cert is an optional PEM-encoded
+                                              public certificate.
+                                            type: string
+                                          certChain:
+                                            description: CertChain is an optional
+                                              PEM encoded set of certificates used
+                                              to verify.
+                                            type: string
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                        type: object
+                                      keyless:
+                                        description: |-
+                                          Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                        properties:
+                                          additionalExtensions:
+                                            additionalProperties:
+                                              type: string
+                                            description: AdditionalExtensions are
+                                              certificate-extensions used for keyless
+                                              signing.
+                                            type: object
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          issuer:
+                                            description: Issuer is the certificate
+                                              issuer used for keyless signing.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          roots:
+                                            description: |-
+                                              Roots is an optional set of PEM encoded trusted root certificates.
+                                              If not provided, the system roots are used.
+                                            type: string
+                                          subject:
+                                            description: Subject is the verified identity
+                                              used for keyless signing, for example
+                                              the email address.
+                                            type: string
+                                        type: object
+                                      keys:
+                                        description: Keys specifies one or more public
+                                          keys.
+                                        properties:
+                                          ctlog:
+                                            description: |-
+                                              CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                              Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                            properties:
+                                              ignoreSCT:
+                                                description: |-
+                                                  IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                  timestamp. Default is false. Set to true if this was opted out during signing.
+                                                type: boolean
+                                              pubkey:
+                                                description: PubKey, if set, is used
+                                                  to validate SCTs against a custom
+                                                  source.
+                                                type: string
+                                              tsaCertChain:
+                                                description: |-
+                                                  TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                  contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                  may contain the leaf TSA certificate if not present in the timestamurce.
+                                                type: string
+                                            type: object
+                                          kms:
+                                            description: |-
+                                              KMS provides the URI to the public key stored in a Key Management System. See:
+                                              https://github.com/sigstore/cosign/blob/main/KMS.md
+                                            type: string
+                                          publicKeys:
+                                            description: |-
+                                              Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                              specified or can be a variable reference to a key specified in a ConfigMap (see
+                                              https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                              elsewhere in the cluster by specifying it in the format "k8s:///".
+                                              The named Secret must specify a key `cosign.pub` containing the public key used for
+                                              verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                              When multiple keys are specified each key is processed as a separate staticKey entry
+                                              (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                            type: string
+                                          rekor:
+                                            description: |-
+                                              Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                              is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                            properties:
+                                              ignoreTlog:
+                                                description: IgnoreTlog skips transparency
+                                                  log verification.
+                                                type: boolean
+                                              pubkey:
+                                                description: |-
+                                                  RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                  If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                type: string
+                                              url:
+                                                description: URL is the address of
+                                                  the transparency log. Defaults to
+                                                  the public Rekor log instance https://rekor.sigstore.dev.
+                                                type: string
+                                            type: object
+                                          secret:
+                                            description: Reference to a Secret resource
+                                              that contains a public key
+                                            properties:
+                                              name:
+                                                description: Name of the secret. The
+                                                  provided secret must contain a key
+                                                  named cosign.pub.
+                                                type: string
+                                              namespace:
+                                                description: Namespace name where
+                                                  the Secret exists.
+                                                type: string
+                                            required:
+                                            - name
+                                            - namespace
+                                            type: object
+                                          signatureAlgorithm:
+                                            default: sha256
+                                            description: Specify signature algorithm
+                                              for public keys. Supported values are
+                                              sha224, sha256, sha384 and sha512.
+                                            type: string
+                                        type: object
+                                      repository:
+                                        description: |-
+                                          Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                          If specified Repository will override other OCI image repository locations for this Attestor.
+                                        type: string
+                                    type: object
+                                  type: array
+                              type: object
+                            type: array
+                          imageReferences:
+                            description: |-
+                              ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                              list must match the image for the rule to apply. Each image reference consists of a registry
+                              address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          imageRegistryCredentials:
+                            description: ImageRegistryCredentials provides credentials
+                              that will be used for authentication with registry
+                            properties:
+                              allowInsecureRegistry:
+                                description: AllowInsecureRegistry allows insecure
+                                  access to a registry.
+                                type: boolean
+                              providers:
+                                description: |-
+                                  Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                  It can be of one of these values: default,google,azure,amazon,github.
+                                items:
+                                  description: ImageRegistryCredentialsProvidersType
+                                    provides the list of credential providers required.
+                                  enum:
+                                  - default
+                                  - amazon
+                                  - azure
+                                  - google
+                                  - github
+                                  type: string
+                                type: array
+                              secrets:
+                                description: |-
+                                  Secrets specifies a list of secrets that are provided for credentials.
+                                  Secrets must live in the Kyverno namespace.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          mutateDigest:
+                            default: true
+                            description: |-
+                              MutateDigest enables replacement of image tags with digests.
+                              Defaults to true.
+                            type: boolean
+                          repository:
+                            description: |-
+                              Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                              If specified Repository will override the default OCI image repository configured for the installation.
+                              The repository can also be overridden per Attestor or Attestation.
+                            type: string
+                          required:
+                            default: true
+                            description: Required validates that images are verified
+                              i.e. have matched passed a signature or attestation
+                              check.
+                            type: boolean
+                          skipImageReferences:
+                            description: |-
+                              SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                              At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                              consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                              Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                            items:
+                              type: string
+                            type: array
+                          type:
+                            description: |-
+                              Type specifies the method of signature validation. The allowed options
+                              are Cosign and Notary. By default Cosign is used if a type is not specified.
+                            enum:
+                            - Cosign
+                            - Notary
+                            type: string
+                          useCache:
+                            default: true
+                            description: UseCache enables caching of image verify
+                              responses for this rule
+                            type: boolean
+                          validationFailureAction:
+                            description: Allowed values are Audit or Enforce.
+                            enum:
+                            - Audit
+                            - Enforce
+                            type: string
+                          verifyDigest:
+                            default: true
+                            description: VerifyDigest validates that images have a
+                              digest.
+                            type: boolean
+                        type: object
+                      type: array
+                  required:
+                  - name
+                  type: object
+                type: array
+              schemaValidation:
+                description: Deprecated.
+                type: boolean
+              useServerSideApply:
+                description: |-
+                  UseServerSideApply controls whether to use server-side apply for generate rules
+                  If is set to "true" create & update for generate rules will use apply instead of create/update.
+                  Defaults to "false" if not specified.
+                type: boolean
+              validationFailureAction:
+                default: Audit
+                description: Deprecated, use validationFailureAction under the validate
+                  rule instead.
+                enum:
+                - audit
+                - enforce
+                - Audit
+                - Enforce
+                type: string
+              validationFailureActionOverrides:
+                description: Deprecated, use validationFailureActionOverrides under
+                  the validate rule instead.
+                items:
+                  properties:
+                    action:
+                      description: ValidationFailureAction defines the policy validation
+                        failure action
+                      enum:
+                      - audit
+                      - enforce
+                      - Audit
+                      - Enforce
+                      type: string
+                    namespaceSelector:
+                      description: |-
+                        A label selector is a label query over a set of resources. The result of matchLabels and
+                        matchExpressions are ANDed. An empty label selector matches all objects. A null
+                        label selector matches no objects.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    namespaces:
+                      items:
+                        type: string
+                      type: array
+                  type: object
+                type: array
+              webhookConfiguration:
+                description: WebhookConfiguration specifies the custom configuration
+                  for Kubernetes admission webhookconfiguration.
+                properties:
+                  failurePolicy:
+                    description: |-
+                      FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled.
+                      Rules within the same policy share the same failure behavior.
+                      This field should not be accessed directly, instead `GetFailurePolicy()` should be used.
+                      Allowed values are Ignore or Fail. Defaults to Fail.
+                    enum:
+                    - Ignore
+                    - Fail
+                    type: string
+                  matchConditions:
+                    description: |-
+                      MatchCondition configures admission webhook matchConditions.
+                      Requires Kubernetes 1.27 or later.
+                    items:
+                      description: MatchCondition represents a condition which must
+                        by fulfilled for a request to be sent to a webhook.
+                      properties:
+                        expression:
+                          description: |-
+                            Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                            CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                            'object' - The object from the incoming request. The value is null for DELETE requests.
+                            'oldObject' - The existing object. The value is null for CREATE requests.
+                            'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                            'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                              See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                            'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                              request resource.
+                            Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                            Required.
+                          type: string
+                        name:
+                          description: |-
+                            Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                            as well as providing an identifier for logging purposes. A good name should be descriptive of
+                            the associated expression.
+                            Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                            must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                            '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                            optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                            Required.
+                          type: string
+                      required:
+                      - expression
+                      - name
+                      type: object
+                    type: array
+                  timeoutSeconds:
+                    description: |-
+                      TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
+                      After the configured time expires, the admission request may fail, or may simply ignore the policy results,
+                      based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
+                    format: int32
+                    type: integer
+                type: object
+              webhookTimeoutSeconds:
+                description: Deprecated, use webhookTimeoutSeconds under webhookConfiguration
+                  instead.
+                format: int32
+                type: integer
+            type: object
+          status:
+            description: Status contains policy runtime data.
+            properties:
+              autogen:
+                description: AutogenStatus contains autogen status information.
+                properties:
+                  rules:
+                    description: Rules is a list of Rule instances. It contains auto
+                      generated rules added for pod controllers
+                    items:
+                      description: |-
+                        Rule defines a validation, mutation, or generation control for matching resources.
+                        Each rules contains a match declaration to select resources, and an optional exclude
+                        declaration to specify which resources to exclude.
+                      properties:
+                        celPreconditions:
+                          description: |-
+                            CELPreconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of CEL conditions. It can only be used with the validate.cel subrule
+                          items:
+                            description: MatchCondition represents a condition which
+                              must by fulfilled for a request to be sent to a webhook.
+                            properties:
+                              expression:
+                                description: |-
+                                  Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.
+                                  CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:
+
+
+                                  'object' - The object from the incoming request. The value is null for DELETE requests.
+                                  'oldObject' - The existing object. The value is null for CREATE requests.
+                                  'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).
+                                  'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.
+                                    See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz
+                                  'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the
+                                    request resource.
+                                  Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/
+
+
+                                  Required.
+                                type: string
+                              name:
+                                description: |-
+                                  Name is an identifier for this match condition, used for strategic merging of MatchConditions,
+                                  as well as providing an identifier for logging purposes. A good name should be descriptive of
+                                  the associated expression.
+                                  Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and
+                                  must start and end with an alphanumeric character (e.g. 'MyName',  or 'my.name',  or
+                                  '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an
+                                  optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')
+
+
+                                  Required.
+                                type: string
+                            required:
+                            - expression
+                            - name
+                            type: object
+                          type: array
+                        context:
+                          description: Context defines variables and data sources
+                            that can be used during rule execution.
+                          items:
+                            description: |-
+                              ContextEntry adds variables and data sources to a rule Context. Either a
+                              ConfigMap reference or a APILookup must be provided.
+                            properties:
+                              apiCall:
+                                description: |-
+                                  APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                  The data returned is stored in the context with the name for the context entry.
+                                properties:
+                                  data:
+                                    description: |-
+                                      The data object specifies the POST data sent to the server.
+                                      Only applicable when the method field is set to POST.
+                                    items:
+                                      description: RequestData contains the HTTP POST
+                                        data
+                                      properties:
+                                        key:
+                                          description: Key is a unique identifier
+                                            for the data value
+                                          type: string
+                                        value:
+                                          description: Value is the data value
+                                          x-kubernetes-preserve-unknown-fields: true
+                                      required:
+                                      - key
+                                      - value
+                                      type: object
+                                    type: array
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  method:
+                                    default: GET
+                                    description: Method is the HTTP request type (GET
+                                      or POST). Defaults to GET.
+                                    enum:
+                                    - GET
+                                    - POST
+                                    type: string
+                                  service:
+                                    description: |-
+                                      Service is an API call to a JSON web service.
+                                      This is used for non-Kubernetes API server calls.
+                                      It's mutually exclusive with the URLPath field.
+                                    properties:
+                                      caBundle:
+                                        description: |-
+                                          CABundle is a PEM encoded CA bundle which will be used to validate
+                                          the server certificate.
+                                        type: string
+                                      url:
+                                        description: |-
+                                          URL is the JSON web service URL. A typical form is
+                                          `https://{service}.{namespace}:{port}/{path}`.
+                                        type: string
+                                    required:
+                                    - url
+                                    type: object
+                                  urlPath:
+                                    description: |-
+                                      URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                      Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                      The format required is the same format used by the `kubectl get --raw` command.
+                                      See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                      for details.
+                                      It's mutually exclusive with the Service field.
+                                    type: string
+                                type: object
+                              configMap:
+                                description: ConfigMap is the ConfigMap reference.
+                                properties:
+                                  name:
+                                    description: Name is the ConfigMap name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace is the ConfigMap namespace.
+                                    type: string
+                                required:
+                                - name
+                                type: object
+                              globalReference:
+                                description: GlobalContextEntryReference is a reference
+                                  to a cached global context entry.
+                                properties:
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the JSON response returned from the server. For example
+                                      a JMESPath of "items | length(@)" applied to the API server response
+                                      for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                      of deployments across all namespaces.
+                                    type: string
+                                  name:
+                                    description: Name of the global context entry
+                                    type: string
+                                type: object
+                              imageRegistry:
+                                description: |-
+                                  ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                  details.
+                                properties:
+                                  imageRegistryCredentials:
+                                    description: ImageRegistryCredentials provides
+                                      credentials that will be used for authentication
+                                      with registry
+                                    properties:
+                                      allowInsecureRegistry:
+                                        description: AllowInsecureRegistry allows
+                                          insecure access to a registry.
+                                        type: boolean
+                                      providers:
+                                        description: |-
+                                          Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                          It can be of one of these values: default,google,azure,amazon,github.
+                                        items:
+                                          description: ImageRegistryCredentialsProvidersType
+                                            provides the list of credential providers
+                                            required.
+                                          enum:
+                                          - default
+                                          - amazon
+                                          - azure
+                                          - google
+                                          - github
+                                          type: string
+                                        type: array
+                                      secrets:
+                                        description: |-
+                                          Secrets specifies a list of secrets that are provided for credentials.
+                                          Secrets must live in the Kyverno namespace.
+                                        items:
+                                          type: string
+                                        type: array
+                                    type: object
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JSON Match Expression that can be used to
+                                      transform the ImageData struct returned as a result of processing
+                                      the image reference.
+                                    type: string
+                                  reference:
+                                    description: |-
+                                      Reference is image reference to a container image in the registry.
+                                      Example: ghcr.io/kyverno/kyverno:latest
+                                    type: string
+                                required:
+                                - reference
+                                type: object
+                              name:
+                                description: Name is the variable name.
+                                type: string
+                              variable:
+                                description: Variable defines an arbitrary JMESPath
+                                  context variable that can be defined inline.
+                                properties:
+                                  default:
+                                    description: |-
+                                      Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                      expression evaluates to nil
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  jmesPath:
+                                    description: |-
+                                      JMESPath is an optional JMESPath Expression that can be used to
+                                      transform the variable.
+                                    type: string
+                                  value:
+                                    description: Value is any arbitrary JSON object
+                                      representable in YAML or JSON form.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                            type: object
+                          type: array
+                        exclude:
+                          description: |-
+                            ExcludeResources defines when this policy rule should not be applied. The exclude
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the name or role.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        generate:
+                          description: Generation is used to create new resources.
+                          properties:
+                            apiVersion:
+                              description: APIVersion specifies resource apiVersion.
+                              type: string
+                            clone:
+                              description: |-
+                                Clone specifies the source resource used to populate each generated resource.
+                                At most one of Data or Clone can be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              properties:
+                                name:
+                                  description: Name specifies name of the resource.
+                                  type: string
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                              type: object
+                            cloneList:
+                              description: CloneList specifies the list of source
+                                resource used to populate each generated resource.
+                              properties:
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                namespace:
+                                  description: Namespace specifies source resource
+                                    namespace.
+                                  type: string
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels`.
+                                    wildcard characters are not supported.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            data:
+                              description: |-
+                                Data provides the resource declaration used to populate each generated resource.
+                                At most one of Data or Clone must be specified. If neither are provided, the generated
+                                resource will be created with default data only.
+                              x-kubernetes-preserve-unknown-fields: true
+                            generateExisting:
+                              description: |-
+                                GenerateExisting controls whether to trigger the rule in existing resources
+                                If is set to "true" the rule will be triggered and applied to existing matched resources.
+                              type: boolean
+                            kind:
+                              description: Kind specifies resource kind.
+                              type: string
+                            name:
+                              description: Name specifies the resource name.
+                              type: string
+                            namespace:
+                              description: Namespace specifies resource namespace.
+                              type: string
+                            orphanDownstreamOnPolicyDelete:
+                              description: |-
+                                OrphanDownstreamOnPolicyDelete controls whether generated resources should be deleted when the rule that generated
+                                them is deleted with synchronization enabled. This option is only applicable to generate rules of the data type.
+                                See https://kyverno.io/docs/writing-policies/generate/#data-examples.
+                                Defaults to "false" if not specified.
+                              type: boolean
+                            synchronize:
+                              description: |-
+                                Synchronize controls if generated resources should be kept in-sync with their source resource.
+                                If Synchronize is set to "true" changes to generated resources will be overwritten with resource
+                                data from Data or the resource specified in the Clone declaration.
+                                Optional. Defaults to "false" if not specified.
+                              type: boolean
+                            uid:
+                              description: UID specifies the resource uid.
+                              type: string
+                          type: object
+                        imageExtractors:
+                          additionalProperties:
+                            items:
+                              properties:
+                                jmesPath:
+                                  description: |-
+                                    JMESPath is an optional JMESPath expression to apply to the image value.
+                                    This is useful when the extracted image begins with a prefix like 'docker://'.
+                                    The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://').
+                                    Note - Image digest mutation may not be used when applying a JMESPAth to an image.
+                                  type: string
+                                key:
+                                  description: |-
+                                    Key is an optional name of the field within 'path' that will be used to uniquely identify an image.
+                                    Note - this field MUST be unique.
+                                  type: string
+                                name:
+                                  description: |-
+                                    Name is the entry the image will be available under 'images.' in the context.
+                                    If this field is not defined, image entries will appear under 'images.custom'.
+                                  type: string
+                                path:
+                                  description: |-
+                                    Path is the path to the object containing the image field in a custom resource.
+                                    It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'.
+                                    Wildcard keys are expanded in case of arrays or objects.
+                                  type: string
+                                value:
+                                  description: |-
+                                    Value is an optional name of the field within 'path' that points to the image URI.
+                                    This is useful when a custom 'key' is also defined.
+                                  type: string
+                              required:
+                              - path
+                              type: object
+                            type: array
+                          description: |-
+                            ImageExtractors defines a mapping from kinds to ImageExtractorConfigs.
+                            This config is only valid for verifyImages rules.
+                          type: object
+                        match:
+                          description: |-
+                            MatchResources defines when this policy rule should be applied. The match
+                            criteria can include resource information (e.g. kind, name, namespace, labels)
+                            and admission review request information like the user name or role.
+                            At least one kind is required.
+                          properties:
+                            all:
+                              description: All allows specifying resources which will
+                                be ANDed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            any:
+                              description: Any allows specifying resources which will
+                                be ORed
+                              items:
+                                description: ResourceFilter allow users to "AND" or
+                                  "OR" between resources
+                                properties:
+                                  clusterRoles:
+                                    description: ClusterRoles is the list of cluster-wide
+                                      role names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  resources:
+                                    description: ResourceDescription contains information
+                                      about the resource being created or modified.
+                                    properties:
+                                      annotations:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                          and values support the wildcard characters "*" (matches zero or many characters) and
+                                          "?" (matches at least one character).
+                                        type: object
+                                      kinds:
+                                        description: Kinds is a list of resource kinds.
+                                        items:
+                                          type: string
+                                        type: array
+                                      name:
+                                        description: |-
+                                          Name is the name of the resource. The name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                          NOTE: "Name" is being deprecated in favor of "Names".
+                                        type: string
+                                      names:
+                                        description: |-
+                                          Names are the names of the resources. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      namespaceSelector:
+                                        description: |-
+                                          NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                          in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                          and `?` (matches one character).Wildcards allows writing label selectors like
+                                          ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                          does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                      namespaces:
+                                        description: |-
+                                          Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                          "*" (matches zero or many characters) and "?" (at least one character).
+                                        items:
+                                          type: string
+                                        type: array
+                                      operations:
+                                        description: Operations can contain values
+                                          ["CREATE, "UPDATE", "CONNECT", "DELETE"],
+                                          which are used to match a specific action.
+                                        items:
+                                          description: AdmissionOperation can have
+                                            one of the values CREATE, UPDATE, CONNECT,
+                                            DELETE, which are used to match a specific
+                                            action.
+                                          enum:
+                                          - CREATE
+                                          - CONNECT
+                                          - UPDATE
+                                          - DELETE
+                                          type: string
+                                        type: array
+                                      selector:
+                                        description: |-
+                                          Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                          characters `*` (matches zero or many characters) and `?` (matches one character).
+                                          Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                          using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                        properties:
+                                          matchExpressions:
+                                            description: matchExpressions is a list
+                                              of label selector requirements. The
+                                              requirements are ANDed.
+                                            items:
+                                              description: |-
+                                                A label selector requirement is a selector that contains values, a key, and an operator that
+                                                relates the key and values.
+                                              properties:
+                                                key:
+                                                  description: key is the label key
+                                                    that the selector applies to.
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    operator represents a key's relationship to a set of values.
+                                                    Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                  type: string
+                                                values:
+                                                  description: |-
+                                                    values is an array of string values. If the operator is In or NotIn,
+                                                    the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                    the values array must be empty. This array is replaced during a strategic
+                                                    merge patch.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                  x-kubernetes-list-type: atomic
+                                              required:
+                                              - key
+                                              - operator
+                                              type: object
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                          matchLabels:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                              map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                              operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                            type: object
+                                        type: object
+                                        x-kubernetes-map-type: atomic
+                                    type: object
+                                  roles:
+                                    description: Roles is the list of namespaced role
+                                      names for the user.
+                                    items:
+                                      type: string
+                                    type: array
+                                  subjects:
+                                    description: Subjects is the list of subject names
+                                      like users, user groups, and service accounts.
+                                    items:
+                                      description: |-
+                                        Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                        or a value for non-objects such as user and group names.
+                                      properties:
+                                        apiGroup:
+                                          description: |-
+                                            APIGroup holds the API group of the referenced subject.
+                                            Defaults to "" for ServiceAccount subjects.
+                                            Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                          type: string
+                                        kind:
+                                          description: |-
+                                            Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                            If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                          type: string
+                                        name:
+                                          description: Name of the object being referenced.
+                                          type: string
+                                        namespace:
+                                          description: |-
+                                            Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                            the Authorizer should report an error.
+                                          type: string
+                                      required:
+                                      - kind
+                                      - name
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                    type: array
+                                type: object
+                              type: array
+                            clusterRoles:
+                              description: ClusterRoles is the list of cluster-wide
+                                role names for the user.
+                              items:
+                                type: string
+                              type: array
+                            resources:
+                              description: |-
+                                ResourceDescription contains information about the resource being created or modified.
+                                Requires at least one tag to be specified when under MatchResources.
+                                Specifying ResourceDescription directly under match is being deprecated.
+                                Please specify under "any" or "all" instead.
+                              properties:
+                                annotations:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                    and values support the wildcard characters "*" (matches zero or many characters) and
+                                    "?" (matches at least one character).
+                                  type: object
+                                kinds:
+                                  description: Kinds is a list of resource kinds.
+                                  items:
+                                    type: string
+                                  type: array
+                                name:
+                                  description: |-
+                                    Name is the name of the resource. The name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                    NOTE: "Name" is being deprecated in favor of "Names".
+                                  type: string
+                                names:
+                                  description: |-
+                                    Names are the names of the resources. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                namespaceSelector:
+                                  description: |-
+                                    NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                    in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                    and `?` (matches one character).Wildcards allows writing label selectors like
+                                    ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                    does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                namespaces:
+                                  description: |-
+                                    Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                    "*" (matches zero or many characters) and "?" (at least one character).
+                                  items:
+                                    type: string
+                                  type: array
+                                operations:
+                                  description: Operations can contain values ["CREATE,
+                                    "UPDATE", "CONNECT", "DELETE"], which are used
+                                    to match a specific action.
+                                  items:
+                                    description: AdmissionOperation can have one of
+                                      the values CREATE, UPDATE, CONNECT, DELETE,
+                                      which are used to match a specific action.
+                                    enum:
+                                    - CREATE
+                                    - CONNECT
+                                    - UPDATE
+                                    - DELETE
+                                    type: string
+                                  type: array
+                                selector:
+                                  description: |-
+                                    Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                    characters `*` (matches zero or many characters) and `?` (matches one character).
+                                    Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                    using ["*" : "*"] matches any key and value but does not match an empty label set.
+                                  properties:
+                                    matchExpressions:
+                                      description: matchExpressions is a list of label
+                                        selector requirements. The requirements are
+                                        ANDed.
+                                      items:
+                                        description: |-
+                                          A label selector requirement is a selector that contains values, a key, and an operator that
+                                          relates the key and values.
+                                        properties:
+                                          key:
+                                            description: key is the label key that
+                                              the selector applies to.
+                                            type: string
+                                          operator:
+                                            description: |-
+                                              operator represents a key's relationship to a set of values.
+                                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                                            type: string
+                                          values:
+                                            description: |-
+                                              values is an array of string values. If the operator is In or NotIn,
+                                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                              the values array must be empty. This array is replaced during a strategic
+                                              merge patch.
+                                            items:
+                                              type: string
+                                            type: array
+                                            x-kubernetes-list-type: atomic
+                                        required:
+                                        - key
+                                        - operator
+                                        type: object
+                                      type: array
+                                      x-kubernetes-list-type: atomic
+                                    matchLabels:
+                                      additionalProperties:
+                                        type: string
+                                      description: |-
+                                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                      type: object
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                              type: object
+                            roles:
+                              description: Roles is the list of namespaced role names
+                                for the user.
+                              items:
+                                type: string
+                              type: array
+                            subjects:
+                              description: Subjects is the list of subject names like
+                                users, user groups, and service accounts.
+                              items:
+                                description: |-
+                                  Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                                  or a value for non-objects such as user and group names.
+                                properties:
+                                  apiGroup:
+                                    description: |-
+                                      APIGroup holds the API group of the referenced subject.
+                                      Defaults to "" for ServiceAccount subjects.
+                                      Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                    type: string
+                                  kind:
+                                    description: |-
+                                      Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                      If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                    type: string
+                                  name:
+                                    description: Name of the object being referenced.
+                                    type: string
+                                  namespace:
+                                    description: |-
+                                      Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                      the Authorizer should report an error.
+                                    type: string
+                                required:
+                                - kind
+                                - name
+                                type: object
+                                x-kubernetes-map-type: atomic
+                              type: array
+                          type: object
+                        mutate:
+                          description: Mutation is used to modify matching resources.
+                          properties:
+                            foreach:
+                              description: ForEach applies mutation rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachMutation applies mutation rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  order:
+                                    description: |-
+                                      Order defines the iteration order on the list.
+                                      Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element.
+                                    enum:
+                                    - Ascending
+                                    - Descending
+                                    type: string
+                                  patchStrategicMerge:
+                                    description: |-
+                                      PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                      See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  patchesJson6902:
+                                    description: |-
+                                      PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                      See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            mutateExistingOnPolicyUpdate:
+                              description: MutateExistingOnPolicyUpdate controls if
+                                the mutateExisting rule will be applied on policy
+                                events.
+                              type: boolean
+                            patchStrategicMerge:
+                              description: |-
+                                PatchStrategicMerge is a strategic merge patch used to modify resources.
+                                See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
+                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
+                              x-kubernetes-preserve-unknown-fields: true
+                            patchesJson6902:
+                              description: |-
+                                PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources.
+                                See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
+                              type: string
+                            targets:
+                              description: Targets defines the target resources to
+                                be mutated.
+                              items:
+                                description: TargetResourceSpec defines targets for
+                                  mutating existing resources.
+                                properties:
+                                  apiVersion:
+                                    description: APIVersion specifies resource apiVersion.
+                                    type: string
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  kind:
+                                    description: Kind specifies resource kind.
+                                    type: string
+                                  name:
+                                    description: Name specifies the resource name.
+                                    type: string
+                                  namespace:
+                                    description: Namespace specifies resource namespace.
+                                    type: string
+                                  preconditions:
+                                    description: |-
+                                      Preconditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                                      of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                                      will be deprecated in the next major release.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  uid:
+                                    description: UID specifies the resource uid.
+                                    type: string
+                                type: object
+                              type: array
+                          type: object
+                        name:
+                          description: Name is a label to identify the rule, It must
+                            be unique within the policy.
+                          maxLength: 63
+                          type: string
+                        preconditions:
+                          description: |-
+                            Preconditions are used to determine if a policy rule should be applied by evaluating a
+                            set of conditions. The declaration can contain nested `any` or `all` statements. A direct list
+                            of conditions (without `any` or `all` statements is supported for backwards compatibility but
+                            will be deprecated in the next major release.
+                            See: https://kyverno.io/docs/writing-policies/preconditions/
+                          x-kubernetes-preserve-unknown-fields: true
+                        skipBackgroundRequests:
+                          default: true
+                          description: |-
+                            SkipBackgroundRequests bypasses admission requests that are sent by the background controller.
+                            The default value is set to "true", it must be set to "false" to apply
+                            generate and mutateExisting rules to those requests.
+                          type: boolean
+                        validate:
+                          description: Validation is used to validate matching resources.
+                          properties:
+                            anyPattern:
+                              description: |-
+                                AnyPattern specifies list of validation patterns. At least one of the patterns
+                                must be satisfied for the validation rule to succeed.
+                              x-kubernetes-preserve-unknown-fields: true
+                            assert:
+                              description: Assert defines a kyverno-json assertion
+                                tree.
+                              type: object
+                              x-kubernetes-preserve-unknown-fields: true
+                            cel:
+                              description: CEL allows validation checks using the
+                                Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).
+                              properties:
+                                auditAnnotations:
+                                  description: AuditAnnotations contains CEL expressions
+                                    which are used to produce audit annotations for
+                                    the audit event of the API request.
+                                  items:
+                                    description: AuditAnnotation describes how to
+                                      produce an audit annotation for an API request.
+                                    properties:
+                                      key:
+                                        description: |-
+                                          key specifies the audit annotation key. The audit annotation keys of
+                                          a ValidatingAdmissionPolicy must be unique. The key must be a qualified
+                                          name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.
+
+
+                                          The key is combined with the resource name of the
+                                          ValidatingAdmissionPolicy to construct an audit annotation key:
+                                          "{ValidatingAdmissionPolicy name}/{key}".
+
+
+                                          If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy
+                                          and the same audit annotation key, the annotation key will be identical.
+                                          In this case, the first annotation written with the key will be included
+                                          in the audit event and all subsequent annotations with the same key
+                                          will be discarded.
+
+
+                                          Required.
+                                        type: string
+                                      valueExpression:
+                                        description: |-
+                                          valueExpression represents the expression which is evaluated by CEL to
+                                          produce an audit annotation value. The expression must evaluate to either
+                                          a string or null value. If the expression evaluates to a string, the
+                                          audit annotation is included with the string value. If the expression
+                                          evaluates to null or empty string the audit annotation will be omitted.
+                                          The valueExpression may be no longer than 5kb in length.
+                                          If the result of the valueExpression is more than 10kb in length, it
+                                          will be truncated to 10kb.
+
+
+                                          If multiple ValidatingAdmissionPolicyBinding resources match an
+                                          API request, then the valueExpression will be evaluated for
+                                          each binding. All unique values produced by the valueExpressions
+                                          will be joined together in a comma-separated list.
+
+
+                                          Required.
+                                        type: string
+                                    required:
+                                    - key
+                                    - valueExpression
+                                    type: object
+                                  type: array
+                                expressions:
+                                  description: Expressions is a list of CELExpression
+                                    types.
+                                  items:
+                                    description: Validation specifies the CEL expression
+                                      which is used to apply the validation.
+                                    properties:
+                                      expression:
+                                        description: "Expression represents the expression
+                                          which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL
+                                          expressions have access to the contents
+                                          of the API request/response, organized into
+                                          CEL variables as well as some other useful
+                                          variables:\n\n\n- 'object' - The object
+                                          from the incoming request. The value is
+                                          null for DELETE requests.\n- 'oldObject'
+                                          - The existing object. The value is null
+                                          for CREATE requests.\n- 'request' - Attributes
+                                          of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n-
+                                          'params' - Parameter resource referred to
+                                          by the policy binding being evaluated. Only
+                                          populated if the policy has a ParamKind.\n-
+                                          'namespaceObject' - The namespace object
+                                          that the incoming object belongs to. The
+                                          value is null for cluster-scoped resources.\n-
+                                          'variables' - Map of composited variables,
+                                          from its name to its lazily evaluated value.\n
+                                          \ For example, a variable named 'foo' can
+                                          be accessed as 'variables.foo'.\n- 'authorizer'
+                                          - A CEL Authorizer. May be used to perform
+                                          authorization checks for the principal (user
+                                          or service account) of the request.\n  See
+                                          https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n-
+                                          'authorizer.requestResource' - A CEL ResourceCheck
+                                          constructed from the 'authorizer' and configured
+                                          with the\n  request resource.\n\n\nThe `apiVersion`,
+                                          `kind`, `metadata.name` and `metadata.generateName`
+                                          are always accessible from the root of the\nobject.
+                                          No other metadata properties are accessible.\n\n\nOnly
+                                          property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*`
+                                          are accessible.\nAccessible property names
+                                          are escaped according to the following rules
+                                          when accessed in the expression:\n- '__'
+                                          escapes to '__underscores__'\n- '.' escapes
+                                          to '__dot__'\n- '-' escapes to '__dash__'\n-
+                                          '/' escapes to '__slash__'\n- Property names
+                                          that exactly match a CEL RESERVED keyword
+                                          escape to '__{keyword}__'. The keywords
+                                          are:\n\t  \"true\", \"false\", \"null\",
+                                          \"in\", \"as\", \"break\", \"const\", \"continue\",
+                                          \"else\", \"for\", \"function\", \"if\",\n\t
+                                          \ \"import\", \"let\", \"loop\", \"package\",
+                                          \"namespace\", \"return\".\nExamples:\n
+                                          \ - Expression accessing a property named
+                                          \"namespace\": {\"Expression\": \"object.__namespace__
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"x-prop\": {\"Expression\": \"object.x__dash__prop
+                                          > 0\"}\n  - Expression accessing a property
+                                          named \"redact__d\": {\"Expression\": \"object.redact__underscores__d
+                                          > 0\"}\n\n\nEquality on arrays with list
+                                          type of 'set' or 'map' ignores element order,
+                                          i.e. [1, 2] == [2, 1].\nConcatenation on
+                                          arrays with x-kubernetes-list-type use the
+                                          semantics of the list type:\n  - 'set':
+                                          `X + Y` performs a union where the array
+                                          positions of all elements in `X` are preserved
+                                          and\n    non-intersecting elements in `Y`
+                                          are appended, retaining their partial order.\n
+                                          \ - 'map': `X + Y` performs a merge where
+                                          the array positions of all keys in `X` are
+                                          preserved but the values\n    are overwritten
+                                          by values in `Y` when the key sets of `X`
+                                          and `Y` intersect. Elements in `Y` with\n
+                                          \   non-intersecting keys are appended,
+                                          retaining their partial order.\nRequired."
+                                        type: string
+                                      message:
+                                        description: |-
+                                          Message represents the message displayed when validation fails. The message is required if the Expression contains
+                                          line breaks. The message must not contain line breaks.
+                                          If unset, the message is "failed rule: {Rule}".
+                                          e.g. "must be a URL with the host matching spec.host"
+                                          If the Expression contains line breaks. Message is required.
+                                          The message must not contain line breaks.
+                                          If unset, the message is "failed Expression: {Expression}".
+                                        type: string
+                                      messageExpression:
+                                        description: |-
+                                          messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
+                                          Since messageExpression is used as a failure message, it must evaluate to a string.
+                                          If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.
+                                          If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
+                                          as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
+                                          that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
+                                          the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
+                                          messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.
+                                          Example:
+                                          "object.x must be less than max ("+string(params.max)+")"
+                                        type: string
+                                      reason:
+                                        description: |-
+                                          Reason represents a machine-readable description of why this validation failed.
+                                          If this is the first validation in the list to fail, this reason, as well as the
+                                          corresponding HTTP response code, are used in the
+                                          HTTP response to the client.
+                                          The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge".
+                                          If not set, StatusReasonInvalid is used in the response to the client.
+                                        type: string
+                                    required:
+                                    - expression
+                                    type: object
+                                  type: array
+                                paramKind:
+                                  description: ParamKind is a tuple of Group Kind
+                                    and Version.
+                                  properties:
+                                    apiVersion:
+                                      description: |-
+                                        APIVersion is the API group version the resources belong to.
+                                        In format of "group/version".
+                                        Required.
+                                      type: string
+                                    kind:
+                                      description: |-
+                                        Kind is the API kind the resources belong to.
+                                        Required.
+                                      type: string
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                paramRef:
+                                  description: ParamRef references a parameter resource.
+                                  properties:
+                                    name:
+                                      description: |-
+                                        `name` is the name of the resource being referenced.
+
+
+                                        `name` and `selector` are mutually exclusive properties. If one is set,
+                                        the other must be unset.
+                                      type: string
+                                    namespace:
+                                      description: |-
+                                        namespace is the namespace of the referenced resource. Allows limiting
+                                        the search for params to a specific namespace. Applies to both `name` and
+                                        `selector` fields.
+
+
+                                        A per-namespace parameter may be used by specifying a namespace-scoped
+                                        `paramKind` in the policy and leaving this field empty.
+
+
+                                        - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this
+                                        field results in a configuration error.
+
+
+                                        - If `paramKind` is namespace-scoped, the namespace of the object being
+                                        evaluated for admission will be used when this field is left unset. Take
+                                        care that if this is left empty the binding must not match any cluster-scoped
+                                        resources, which will result in an error.
+                                      type: string
+                                    parameterNotFoundAction:
+                                      description: |-
+                                        `parameterNotFoundAction` controls the behavior of the binding when the resource
+                                        exists, and name or selector is valid, but there are no parameters
+                                        matched by the binding. If the value is set to `Allow`, then no
+                                        matched parameters will be treated as successful validation by the binding.
+                                        If set to `Deny`, then no matched parameters will be subject to the
+                                        `failurePolicy` of the policy.
+
+
+                                        Allowed values are `Allow` or `Deny`
+                                        Default to `Deny`
+                                      type: string
+                                    selector:
+                                      description: |-
+                                        selector can be used to match multiple param objects based on their labels.
+                                        Supply selector: {} to match all resources of the ParamKind.
+
+
+                                        If multiple params are found, they are all evaluated with the policy expressions
+                                        and the results are ANDed together.
+
+
+                                        One of `name` or `selector` must be set, but `name` and `selector` are
+                                        mutually exclusive properties. If one is set, the other must be unset.
+                                      properties:
+                                        matchExpressions:
+                                          description: matchExpressions is a list
+                                            of label selector requirements. The requirements
+                                            are ANDed.
+                                          items:
+                                            description: |-
+                                              A label selector requirement is a selector that contains values, a key, and an operator that
+                                              relates the key and values.
+                                            properties:
+                                              key:
+                                                description: key is the label key
+                                                  that the selector applies to.
+                                                type: string
+                                              operator:
+                                                description: |-
+                                                  operator represents a key's relationship to a set of values.
+                                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                                type: string
+                                              values:
+                                                description: |-
+                                                  values is an array of string values. If the operator is In or NotIn,
+                                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                  the values array must be empty. This array is replaced during a strategic
+                                                  merge patch.
+                                                items:
+                                                  type: string
+                                                type: array
+                                                x-kubernetes-list-type: atomic
+                                            required:
+                                            - key
+                                            - operator
+                                            type: object
+                                          type: array
+                                          x-kubernetes-list-type: atomic
+                                        matchLabels:
+                                          additionalProperties:
+                                            type: string
+                                          description: |-
+                                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                          type: object
+                                      type: object
+                                      x-kubernetes-map-type: atomic
+                                  type: object
+                                  x-kubernetes-map-type: atomic
+                                variables:
+                                  description: |-
+                                    Variables contain definitions of variables that can be used in composition of other expressions.
+                                    Each variable is defined as a named CEL expression.
+                                    The variables defined here will be available under `variables` in other expressions of the policy.
+                                  items:
+                                    description: Variable is the definition of a variable
+                                      that is used for composition.
+                                    properties:
+                                      expression:
+                                        description: |-
+                                          Expression is the expression that will be evaluated as the value of the variable.
+                                          The CEL expression has access to the same identifiers as the CEL expressions in Validation.
+                                        type: string
+                                      name:
+                                        description: |-
+                                          Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.
+                                          The variable can be accessed in other expressions through `variables`
+                                          For example, if name is "foo", the variable will be available as `variables.foo`
+                                        type: string
+                                    required:
+                                    - expression
+                                    - name
+                                    type: object
+                                  type: array
+                              type: object
+                            deny:
+                              description: Deny defines conditions used to pass or
+                                fail a validation rule.
+                              properties:
+                                conditions:
+                                  description: |-
+                                    Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                    of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                    but will be deprecated in the next major release.
+                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                  x-kubernetes-preserve-unknown-fields: true
+                              type: object
+                            foreach:
+                              description: ForEach applies validate rules to a list
+                                of sub-elements by creating a context for each entry
+                                in the list and looping over it to apply the specified
+                                logic.
+                              items:
+                                description: ForEachValidation applies validate rules
+                                  to a list of sub-elements by creating a context
+                                  for each entry in the list and looping over it to
+                                  apply the specified logic.
+                                properties:
+                                  anyPattern:
+                                    description: |-
+                                      AnyPattern specifies list of validation patterns. At least one of the patterns
+                                      must be satisfied for the validation rule to succeed.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  context:
+                                    description: Context defines variables and data
+                                      sources that can be used during rule execution.
+                                    items:
+                                      description: |-
+                                        ContextEntry adds variables and data sources to a rule Context. Either a
+                                        ConfigMap reference or a APILookup must be provided.
+                                      properties:
+                                        apiCall:
+                                          description: |-
+                                            APICall is an HTTP request to the Kubernetes API server, or other JSON web service.
+                                            The data returned is stored in the context with the name for the context entry.
+                                          properties:
+                                            data:
+                                              description: |-
+                                                The data object specifies the POST data sent to the server.
+                                                Only applicable when the method field is set to POST.
+                                              items:
+                                                description: RequestData contains
+                                                  the HTTP POST data
+                                                properties:
+                                                  key:
+                                                    description: Key is a unique identifier
+                                                      for the data value
+                                                    type: string
+                                                  value:
+                                                    description: Value is the data
+                                                      value
+                                                    x-kubernetes-preserve-unknown-fields: true
+                                                required:
+                                                - key
+                                                - value
+                                                type: object
+                                              type: array
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            method:
+                                              default: GET
+                                              description: Method is the HTTP request
+                                                type (GET or POST). Defaults to GET.
+                                              enum:
+                                              - GET
+                                              - POST
+                                              type: string
+                                            service:
+                                              description: |-
+                                                Service is an API call to a JSON web service.
+                                                This is used for non-Kubernetes API server calls.
+                                                It's mutually exclusive with the URLPath field.
+                                              properties:
+                                                caBundle:
+                                                  description: |-
+                                                    CABundle is a PEM encoded CA bundle which will be used to validate
+                                                    the server certificate.
+                                                  type: string
+                                                url:
+                                                  description: |-
+                                                    URL is the JSON web service URL. A typical form is
+                                                    `https://{service}.{namespace}:{port}/{path}`.
+                                                  type: string
+                                              required:
+                                              - url
+                                              type: object
+                                            urlPath:
+                                              description: |-
+                                                URLPath is the URL path to be used in the HTTP GET or POST request to the
+                                                Kubernetes API server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
+                                                The format required is the same format used by the `kubectl get --raw` command.
+                                                See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls
+                                                for details.
+                                                It's mutually exclusive with the Service field.
+                                              type: string
+                                          type: object
+                                        configMap:
+                                          description: ConfigMap is the ConfigMap
+                                            reference.
+                                          properties:
+                                            name:
+                                              description: Name is the ConfigMap name.
+                                              type: string
+                                            namespace:
+                                              description: Namespace is the ConfigMap
+                                                namespace.
+                                              type: string
+                                          required:
+                                          - name
+                                          type: object
+                                        globalReference:
+                                          description: GlobalContextEntryReference
+                                            is a reference to a cached global context
+                                            entry.
+                                          properties:
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the JSON response returned from the server. For example
+                                                a JMESPath of "items | length(@)" applied to the API server response
+                                                for the URLPath "/apis/apps/v1/deployments" will return the total count
+                                                of deployments across all namespaces.
+                                              type: string
+                                            name:
+                                              description: Name of the global context
+                                                entry
+                                              type: string
+                                          type: object
+                                        imageRegistry:
+                                          description: |-
+                                            ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image
+                                            details.
+                                          properties:
+                                            imageRegistryCredentials:
+                                              description: ImageRegistryCredentials
+                                                provides credentials that will be
+                                                used for authentication with registry
+                                              properties:
+                                                allowInsecureRegistry:
+                                                  description: AllowInsecureRegistry
+                                                    allows insecure access to a registry.
+                                                  type: boolean
+                                                providers:
+                                                  description: |-
+                                                    Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                                    It can be of one of these values: default,google,azure,amazon,github.
+                                                  items:
+                                                    description: ImageRegistryCredentialsProvidersType
+                                                      provides the list of credential
+                                                      providers required.
+                                                    enum:
+                                                    - default
+                                                    - amazon
+                                                    - azure
+                                                    - google
+                                                    - github
+                                                    type: string
+                                                  type: array
+                                                secrets:
+                                                  description: |-
+                                                    Secrets specifies a list of secrets that are provided for credentials.
+                                                    Secrets must live in the Kyverno namespace.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JSON Match Expression that can be used to
+                                                transform the ImageData struct returned as a result of processing
+                                                the image reference.
+                                              type: string
+                                            reference:
+                                              description: |-
+                                                Reference is image reference to a container image in the registry.
+                                                Example: ghcr.io/kyverno/kyverno:latest
+                                              type: string
+                                          required:
+                                          - reference
+                                          type: object
+                                        name:
+                                          description: Name is the variable name.
+                                          type: string
+                                        variable:
+                                          description: Variable defines an arbitrary
+                                            JMESPath context variable that can be
+                                            defined inline.
+                                          properties:
+                                            default:
+                                              description: |-
+                                                Default is an optional arbitrary JSON object that the variable may take if the JMESPath
+                                                expression evaluates to nil
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            jmesPath:
+                                              description: |-
+                                                JMESPath is an optional JMESPath Expression that can be used to
+                                                transform the variable.
+                                              type: string
+                                            value:
+                                              description: Value is any arbitrary
+                                                JSON object representable in YAML
+                                                or JSON form.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                      type: object
+                                    type: array
+                                  deny:
+                                    description: Deny defines conditions used to pass
+                                      or fail a validation rule.
+                                    properties:
+                                      conditions:
+                                        description: |-
+                                          Multiple conditions can be declared under an `any` or `all` statement. A direct list
+                                          of conditions (without `any` or `all` statements) is also supported for backwards compatibility
+                                          but will be deprecated in the next major release.
+                                          See: https://kyverno.io/docs/writing-policies/validate/#deny-rules
+                                        x-kubernetes-preserve-unknown-fields: true
+                                    type: object
+                                  elementScope:
+                                    description: |-
+                                      ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified.
+                                      When set to "false", "request.object" is used as the validation scope within the foreach
+                                      block to allow referencing other elements in the subtree.
+                                    type: boolean
+                                  foreach:
+                                    description: Foreach declares a nested foreach
+                                      iterator
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  list:
+                                    description: |-
+                                      List specifies a JMESPath expression that results in one or more elements
+                                      to which the validation logic is applied.
+                                    type: string
+                                  pattern:
+                                    description: Pattern specifies an overlay-style
+                                      pattern used to check resources.
+                                    x-kubernetes-preserve-unknown-fields: true
+                                  preconditions:
+                                    description: |-
+                                      AnyAllConditions are used to determine if a policy rule should be applied by evaluating a
+                                      set of conditions. The declaration can contain nested `any` or `all` statements.
+                                      See: https://kyverno.io/docs/writing-policies/preconditions/
+                                    properties:
+                                      all:
+                                        description: |-
+                                          AllConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, all of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                      any:
+                                        description: |-
+                                          AnyConditions enable variable-based conditional rule execution. This is useful for
+                                          finer control of when an rule is applied. A condition can reference object data
+                                          using JMESPath notation.
+                                          Here, at least one of the conditions need to pass
+                                        items:
+                                          description: Condition defines variable-based
+                                            conditional criteria for rule execution.
+                                          properties:
+                                            key:
+                                              description: Key is the context entry
+                                                (using JMESPath) for conditional rule
+                                                evaluation.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            message:
+                                              description: Message is an optional
+                                                display message
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                Operator is the conditional operation to perform. Valid operators are:
+                                                Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                DurationLessThanOrEquals, DurationLessThan
+                                              enum:
+                                              - Equals
+                                              - NotEquals
+                                              - In
+                                              - AnyIn
+                                              - AllIn
+                                              - NotIn
+                                              - AnyNotIn
+                                              - AllNotIn
+                                              - GreaterThanOrEquals
+                                              - GreaterThan
+                                              - LessThanOrEquals
+                                              - LessThan
+                                              - DurationGreaterThanOrEquals
+                                              - DurationGreaterThan
+                                              - DurationLessThanOrEquals
+                                              - DurationLessThan
+                                              type: string
+                                            value:
+                                              description: |-
+                                                Value is the conditional value, or set of values. The values can be fixed set
+                                                or can be variables declared using JMESPath.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                          type: object
+                                        type: array
+                                    type: object
+                                    x-kubernetes-preserve-unknown-fields: true
+                                type: object
+                              type: array
+                            manifests:
+                              description: Manifest specifies conditions for manifest
+                                verification
+                              properties:
+                                annotationDomain:
+                                  description: AnnotationDomain is custom domain of
+                                    annotation for message and signature. Default
+                                    is "cosign.sigstore.dev".
+                                  type: string
+                                attestors:
+                                  description: Attestors specified the required attestors
+                                    (i.e. authorities)
+                                  items:
+                                    properties:
+                                      count:
+                                        description: |-
+                                          Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                          (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                          value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                        minimum: 1
+                                        type: integer
+                                      entries:
+                                        description: |-
+                                          Entries contains the available attestors. An attestor can be a static key,
+                                          attributes for keyless verification, or a nested attestor declaration.
+                                        items:
+                                          properties:
+                                            annotations:
+                                              additionalProperties:
+                                                type: string
+                                              description: |-
+                                                Annotations are used for image verification.
+                                                Every specified key-value pair must exist and match in the verified payload.
+                                                The payload may contain other key-value pairs.
+                                              type: object
+                                            attestor:
+                                              description: Attestor is a nested set
+                                                of Attestor used to specify a more
+                                                complex set of match authorities.
+                                              x-kubernetes-preserve-unknown-fields: true
+                                            certificates:
+                                              description: Certificates specifies
+                                                one or more certificates.
+                                              properties:
+                                                cert:
+                                                  description: Cert is an optional
+                                                    PEM-encoded public certificate.
+                                                  type: string
+                                                certChain:
+                                                  description: CertChain is an optional
+                                                    PEM encoded set of certificates
+                                                    used to verify.
+                                                  type: string
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                              type: object
+                                            keyless:
+                                              description: |-
+                                                Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                              properties:
+                                                additionalExtensions:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: AdditionalExtensions
+                                                    are certificate-extensions used
+                                                    for keyless signing.
+                                                  type: object
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                issuer:
+                                                  description: Issuer is the certificate
+                                                    issuer used for keyless signing.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                roots:
+                                                  description: |-
+                                                    Roots is an optional set of PEM encoded trusted root certificates.
+                                                    If not provided, the system roots are used.
+                                                  type: string
+                                                subject:
+                                                  description: Subject is the verified
+                                                    identity used for keyless signing,
+                                                    for example the email address.
+                                                  type: string
+                                              type: object
+                                            keys:
+                                              description: Keys specifies one or more
+                                                public keys.
+                                              properties:
+                                                ctlog:
+                                                  description: |-
+                                                    CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                    Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                  properties:
+                                                    ignoreSCT:
+                                                      description: |-
+                                                        IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                        timestamp. Default is false. Set to true if this was opted out during signing.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: PubKey, if set,
+                                                        is used to validate SCTs against
+                                                        a custom source.
+                                                      type: string
+                                                    tsaCertChain:
+                                                      description: |-
+                                                        TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                        contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                        may contain the leaf TSA certificate if not present in the timestamurce.
+                                                      type: string
+                                                  type: object
+                                                kms:
+                                                  description: |-
+                                                    KMS provides the URI to the public key stored in a Key Management System. See:
+                                                    https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                  type: string
+                                                publicKeys:
+                                                  description: |-
+                                                    Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                    specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                    https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                    elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                    The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                    verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                    When multiple keys are specified each key is processed as a separate staticKey entry
+                                                    (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                  type: string
+                                                rekor:
+                                                  description: |-
+                                                    Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                    is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                  properties:
+                                                    ignoreTlog:
+                                                      description: IgnoreTlog skips
+                                                        transparency log verification.
+                                                      type: boolean
+                                                    pubkey:
+                                                      description: |-
+                                                        RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                        If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                      type: string
+                                                    url:
+                                                      description: URL is the address
+                                                        of the transparency log. Defaults
+                                                        to the public Rekor log instance
+                                                        https://rekor.sigstore.dev.
+                                                      type: string
+                                                  type: object
+                                                secret:
+                                                  description: Reference to a Secret
+                                                    resource that contains a public
+                                                    key
+                                                  properties:
+                                                    name:
+                                                      description: Name of the secret.
+                                                        The provided secret must contain
+                                                        a key named cosign.pub.
+                                                      type: string
+                                                    namespace:
+                                                      description: Namespace name
+                                                        where the Secret exists.
+                                                      type: string
+                                                  required:
+                                                  - name
+                                                  - namespace
+                                                  type: object
+                                                signatureAlgorithm:
+                                                  default: sha256
+                                                  description: Specify signature algorithm
+                                                    for public keys. Supported values
+                                                    are sha224, sha256, sha384 and
+                                                    sha512.
+                                                  type: string
+                                              type: object
+                                            repository:
+                                              description: |-
+                                                Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                If specified Repository will override other OCI image repository locations for this Attestor.
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                dryRun:
+                                  description: DryRun configuration
+                                  properties:
+                                    enable:
+                                      type: boolean
+                                    namespace:
+                                      type: string
+                                  type: object
+                                ignoreFields:
+                                  description: Fields which will be ignored while
+                                    comparing manifests.
+                                  items:
+                                    properties:
+                                      fields:
+                                        items:
+                                          type: string
+                                        type: array
+                                      objects:
+                                        items:
+                                          properties:
+                                            group:
+                                              type: string
+                                            kind:
+                                              type: string
+                                            name:
+                                              type: string
+                                            namespace:
+                                              type: string
+                                            version:
+                                              type: string
+                                          type: object
+                                        type: array
+                                    type: object
+                                  type: array
+                                repository:
+                                  description: |-
+                                    Repository is an optional alternate OCI repository to use for resource bundle reference.
+                                    The repository can be overridden per Attestor or Attestation.
+                                  type: string
+                              type: object
+                            message:
+                              description: Message specifies a custom message to be
+                                displayed on failure.
+                              type: string
+                            pattern:
+                              description: Pattern specifies an overlay-style pattern
+                                used to check resources.
+                              x-kubernetes-preserve-unknown-fields: true
+                            podSecurity:
+                              description: |-
+                                PodSecurity applies exemptions for Kubernetes Pod Security admission
+                                by specifying exclusions for Pod Security Standards controls.
+                              properties:
+                                exclude:
+                                  description: Exclude specifies the Pod Security
+                                    Standard controls to be excluded.
+                                  items:
+                                    description: PodSecurityStandard specifies the
+                                      Pod Security Standard controls to be excluded.
+                                    properties:
+                                      controlName:
+                                        description: |-
+                                          ControlName specifies the name of the Pod Security Standard control.
+                                          See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                                        enum:
+                                        - HostProcess
+                                        - Host Namespaces
+                                        - Privileged Containers
+                                        - Capabilities
+                                        - HostPath Volumes
+                                        - Host Ports
+                                        - AppArmor
+                                        - SELinux
+                                        - /proc Mount Type
+                                        - Seccomp
+                                        - Sysctls
+                                        - Volume Types
+                                        - Privilege Escalation
+                                        - Running as Non-root
+                                        - Running as Non-root user
+                                        type: string
+                                      images:
+                                        description: |-
+                                          Images selects matching containers and applies the container level PSS.
+                                          Each image is the image name consisting of the registry address, repository, image, and tag.
+                                          Empty list matches no containers, PSS checks are applied at the pod level only.
+                                          Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                        items:
+                                          type: string
+                                        type: array
+                                      restrictedField:
+                                        description: |-
+                                          RestrictedField selects the field for the given Pod Security Standard control.
+                                          When not set, all restricted fields for the control are selected.
+                                        type: string
+                                      values:
+                                        description: Values defines the allowed values
+                                          that can be excluded.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - controlName
+                                    type: object
+                                  type: array
+                                level:
+                                  description: |-
+                                    Level defines the Pod Security Standard level to be applied to workloads.
+                                    Allowed values are privileged, baseline, and restricted.
+                                  enum:
+                                  - privileged
+                                  - baseline
+                                  - restricted
+                                  type: string
+                                version:
+                                  description: |-
+                                    Version defines the Pod Security Standard versions that Kubernetes supports.
+                                    Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, v1.27, v1.28, v1.29, latest. Defaults to latest.
+                                  enum:
+                                  - v1.19
+                                  - v1.20
+                                  - v1.21
+                                  - v1.22
+                                  - v1.23
+                                  - v1.24
+                                  - v1.25
+                                  - v1.26
+                                  - v1.27
+                                  - v1.28
+                                  - v1.29
+                                  - latest
+                                  type: string
+                              type: object
+                            validationFailureAction:
+                              description: |-
+                                ValidationFailureAction defines if a validation policy rule violation should block
+                                the admission review request (Enforce), or allow (Audit) the admission review request
+                                and report an error in a policy report. Optional.
+                                Allowed values are Audit or Enforce.
+                              enum:
+                              - Audit
+                              - Enforce
+                              type: string
+                            validationFailureActionOverrides:
+                              description: |-
+                                ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction
+                                namespace-wise. It overrides ValidationFailureAction for the specified namespaces.
+                              items:
+                                properties:
+                                  action:
+                                    description: ValidationFailureAction defines the
+                                      policy validation failure action
+                                    enum:
+                                    - audit
+                                    - enforce
+                                    - Audit
+                                    - Enforce
+                                    type: string
+                                  namespaceSelector:
+                                    description: |-
+                                      A label selector is a label query over a set of resources. The result of matchLabels and
+                                      matchExpressions are ANDed. An empty label selector matches all objects. A null
+                                      label selector matches no objects.
+                                    properties:
+                                      matchExpressions:
+                                        description: matchExpressions is a list of
+                                          label selector requirements. The requirements
+                                          are ANDed.
+                                        items:
+                                          description: |-
+                                            A label selector requirement is a selector that contains values, a key, and an operator that
+                                            relates the key and values.
+                                          properties:
+                                            key:
+                                              description: key is the label key that
+                                                the selector applies to.
+                                              type: string
+                                            operator:
+                                              description: |-
+                                                operator represents a key's relationship to a set of values.
+                                                Valid operators are In, NotIn, Exists and DoesNotExist.
+                                              type: string
+                                            values:
+                                              description: |-
+                                                values is an array of string values. If the operator is In or NotIn,
+                                                the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                                the values array must be empty. This array is replaced during a strategic
+                                                merge patch.
+                                              items:
+                                                type: string
+                                              type: array
+                                              x-kubernetes-list-type: atomic
+                                          required:
+                                          - key
+                                          - operator
+                                          type: object
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                      matchLabels:
+                                        additionalProperties:
+                                          type: string
+                                        description: |-
+                                          matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                          map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                          operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                        type: object
+                                    type: object
+                                    x-kubernetes-map-type: atomic
+                                  namespaces:
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              type: array
+                          type: object
+                        verifyImages:
+                          description: VerifyImages is used to verify image signatures
+                            and mutate them to add a digest
+                          items:
+                            description: |-
+                              ImageVerification validates that images that match the specified pattern
+                              are signed with the supplied public key. Once the image is verified it is
+                              mutated to include the SHA digest retrieved during the registration.
+                            properties:
+                              additionalExtensions:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated.
+                                type: object
+                              annotations:
+                                additionalProperties:
+                                  type: string
+                                description: Deprecated. Use annotations per Attestor
+                                  instead.
+                                type: object
+                              attestations:
+                                description: |-
+                                  Attestations are optional checks for signed in-toto Statements used to verify the image.
+                                  See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                  OCI registry and decodes them into a list of Statement declarations.
+                                items:
+                                  description: |-
+                                    Attestation are checks for signed in-toto Statements that are used to verify the image.
+                                    See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the
+                                    OCI registry and decodes them into a list of Statements.
+                                  properties:
+                                    attestors:
+                                      description: Attestors specify the required
+                                        attestors (i.e. authorities).
+                                      items:
+                                        properties:
+                                          count:
+                                            description: |-
+                                              Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                              (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                              value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                            minimum: 1
+                                            type: integer
+                                          entries:
+                                            description: |-
+                                              Entries contains the available attestors. An attestor can be a static key,
+                                              attributes for keyless verification, or a nested attestor declaration.
+                                            items:
+                                              properties:
+                                                annotations:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: |-
+                                                    Annotations are used for image verification.
+                                                    Every specified key-value pair must exist and match in the verified payload.
+                                                    The payload may contain other key-value pairs.
+                                                  type: object
+                                                attestor:
+                                                  description: Attestor is a nested
+                                                    set of Attestor used to specify
+                                                    a more complex set of match authorities.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                certificates:
+                                                  description: Certificates specifies
+                                                    one or more certificates.
+                                                  properties:
+                                                    cert:
+                                                      description: Cert is an optional
+                                                        PEM-encoded public certificate.
+                                                      type: string
+                                                    certChain:
+                                                      description: CertChain is an
+                                                        optional PEM encoded set of
+                                                        certificates used to verify.
+                                                      type: string
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                  type: object
+                                                keyless:
+                                                  description: |-
+                                                    Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                                    See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                                  properties:
+                                                    additionalExtensions:
+                                                      additionalProperties:
+                                                        type: string
+                                                      description: AdditionalExtensions
+                                                        are certificate-extensions
+                                                        used for keyless signing.
+                                                      type: object
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    issuer:
+                                                      description: Issuer is the certificate
+                                                        issuer used for keyless signing.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    roots:
+                                                      description: |-
+                                                        Roots is an optional set of PEM encoded trusted root certificates.
+                                                        If not provided, the system roots are used.
+                                                      type: string
+                                                    subject:
+                                                      description: Subject is the
+                                                        verified identity used for
+                                                        keyless signing, for example
+                                                        the email address.
+                                                      type: string
+                                                  type: object
+                                                keys:
+                                                  description: Keys specifies one
+                                                    or more public keys.
+                                                  properties:
+                                                    ctlog:
+                                                      description: |-
+                                                        CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                        Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                      properties:
+                                                        ignoreSCT:
+                                                          description: |-
+                                                            IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                            timestamp. Default is false. Set to true if this was opted out during signing.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: PubKey, if
+                                                            set, is used to validate
+                                                            SCTs against a custom
+                                                            source.
+                                                          type: string
+                                                        tsaCertChain:
+                                                          description: |-
+                                                            TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                            contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                            may contain the leaf TSA certificate if not present in the timestamurce.
+                                                          type: string
+                                                      type: object
+                                                    kms:
+                                                      description: |-
+                                                        KMS provides the URI to the public key stored in a Key Management System. See:
+                                                        https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                      type: string
+                                                    publicKeys:
+                                                      description: |-
+                                                        Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                        specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                        https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                        elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                        The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                        verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                        When multiple keys are specified each key is processed as a separate staticKey entry
+                                                        (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                      type: string
+                                                    rekor:
+                                                      description: |-
+                                                        Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                        is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                      properties:
+                                                        ignoreTlog:
+                                                          description: IgnoreTlog
+                                                            skips transparency log
+                                                            verification.
+                                                          type: boolean
+                                                        pubkey:
+                                                          description: |-
+                                                            RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                            If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                          type: string
+                                                        url:
+                                                          description: URL is the
+                                                            address of the transparency
+                                                            log. Defaults to the public
+                                                            Rekor log instance https://rekor.sigstore.dev.
+                                                          type: string
+                                                      type: object
+                                                    secret:
+                                                      description: Reference to a
+                                                        Secret resource that contains
+                                                        a public key
+                                                      properties:
+                                                        name:
+                                                          description: Name of the
+                                                            secret. The provided secret
+                                                            must contain a key named
+                                                            cosign.pub.
+                                                          type: string
+                                                        namespace:
+                                                          description: Namespace name
+                                                            where the Secret exists.
+                                                          type: string
+                                                      required:
+                                                      - name
+                                                      - namespace
+                                                      type: object
+                                                    signatureAlgorithm:
+                                                      default: sha256
+                                                      description: Specify signature
+                                                        algorithm for public keys.
+                                                        Supported values are sha224,
+                                                        sha256, sha384 and sha512.
+                                                      type: string
+                                                  type: object
+                                                repository:
+                                                  description: |-
+                                                    Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                                    If specified Repository will override other OCI image repository locations for this Attestor.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    conditions:
+                                      description: |-
+                                        Conditions are used to verify attributes within a Predicate. If no Conditions are specified
+                                        the attestation check is satisfied as long there are predicates that match the predicate type.
+                                      items:
+                                        description: |-
+                                          AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled.
+                                          AnyConditions get fulfilled when at least one of its sub-conditions passes.
+                                          AllConditions get fulfilled only when all of its sub-conditions pass.
+                                        properties:
+                                          all:
+                                            description: |-
+                                              AllConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, all of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                          any:
+                                            description: |-
+                                              AnyConditions enable variable-based conditional rule execution. This is useful for
+                                              finer control of when an rule is applied. A condition can reference object data
+                                              using JMESPath notation.
+                                              Here, at least one of the conditions need to pass
+                                            items:
+                                              description: Condition defines variable-based
+                                                conditional criteria for rule execution.
+                                              properties:
+                                                key:
+                                                  description: Key is the context
+                                                    entry (using JMESPath) for conditional
+                                                    rule evaluation.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                                message:
+                                                  description: Message is an optional
+                                                    display message
+                                                  type: string
+                                                operator:
+                                                  description: |-
+                                                    Operator is the conditional operation to perform. Valid operators are:
+                                                    Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                                                    GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                                                    DurationLessThanOrEquals, DurationLessThan
+                                                  enum:
+                                                  - Equals
+                                                  - NotEquals
+                                                  - In
+                                                  - AnyIn
+                                                  - AllIn
+                                                  - NotIn
+                                                  - AnyNotIn
+                                                  - AllNotIn
+                                                  - GreaterThanOrEquals
+                                                  - GreaterThan
+                                                  - LessThanOrEquals
+                                                  - LessThan
+                                                  - DurationGreaterThanOrEquals
+                                                  - DurationGreaterThan
+                                                  - DurationLessThanOrEquals
+                                                  - DurationLessThan
+                                                  type: string
+                                                value:
+                                                  description: |-
+                                                    Value is the conditional value, or set of values. The values can be fixed set
+                                                    or can be variables declared using JMESPath.
+                                                  x-kubernetes-preserve-unknown-fields: true
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    predicateType:
+                                      description: Deprecated in favour of 'Type',
+                                        to be removed soon
+                                      type: string
+                                    type:
+                                      description: Type defines the type of attestation
+                                        contained within the Statement.
+                                      type: string
+                                  type: object
+                                type: array
+                              attestors:
+                                description: Attestors specified the required attestors
+                                  (i.e. authorities)
+                                items:
+                                  properties:
+                                    count:
+                                      description: |-
+                                        Count specifies the required number of entries that must match. If the count is null, all entries must match
+                                        (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a
+                                        value N, then N must be less than or equal to the size of entries, and at least N entries must match.
+                                      minimum: 1
+                                      type: integer
+                                    entries:
+                                      description: |-
+                                        Entries contains the available attestors. An attestor can be a static key,
+                                        attributes for keyless verification, or a nested attestor declaration.
+                                      items:
+                                        properties:
+                                          annotations:
+                                            additionalProperties:
+                                              type: string
+                                            description: |-
+                                              Annotations are used for image verification.
+                                              Every specified key-value pair must exist and match in the verified payload.
+                                              The payload may contain other key-value pairs.
+                                            type: object
+                                          attestor:
+                                            description: Attestor is a nested set
+                                              of Attestor used to specify a more complex
+                                              set of match authorities.
+                                            x-kubernetes-preserve-unknown-fields: true
+                                          certificates:
+                                            description: Certificates specifies one
+                                              or more certificates.
+                                            properties:
+                                              cert:
+                                                description: Cert is an optional PEM-encoded
+                                                  public certificate.
+                                                type: string
+                                              certChain:
+                                                description: CertChain is an optional
+                                                  PEM encoded set of certificates
+                                                  used to verify.
+                                                type: string
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                            type: object
+                                          keyless:
+                                            description: |-
+                                              Keyless is a set of attribute used to verify a Sigstore keyless attestor.
+                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
+                                            properties:
+                                              additionalExtensions:
+                                                additionalProperties:
+                                                  type: string
+                                                description: AdditionalExtensions
+                                                  are certificate-extensions used
+                                                  for keyless signing.
+                                                type: object
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              issuer:
+                                                description: Issuer is the certificate
+                                                  issuer used for keyless signing.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              roots:
+                                                description: |-
+                                                  Roots is an optional set of PEM encoded trusted root certificates.
+                                                  If not provided, the system roots are used.
+                                                type: string
+                                              subject:
+                                                description: Subject is the verified
+                                                  identity used for keyless signing,
+                                                  for example the email address.
+                                                type: string
+                                            type: object
+                                          keys:
+                                            description: Keys specifies one or more
+                                              public keys.
+                                            properties:
+                                              ctlog:
+                                                description: |-
+                                                  CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate
+                                                  Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used.
+                                                properties:
+                                                  ignoreSCT:
+                                                    description: |-
+                                                      IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
+                                                      timestamp. Default is false. Set to true if this was opted out during signing.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: PubKey, if set, is
+                                                      used to validate SCTs against
+                                                      a custom source.
+                                                    type: string
+                                                  tsaCertChain:
+                                                    description: |-
+                                                      TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
+                                                      contain the root CA certificate. Optionally may contain intermediate CA certificates, and
+                                                      may contain the leaf TSA certificate if not present in the timestamurce.
+                                                    type: string
+                                                type: object
+                                              kms:
+                                                description: |-
+                                                  KMS provides the URI to the public key stored in a Key Management System. See:
+                                                  https://github.com/sigstore/cosign/blob/main/KMS.md
+                                                type: string
+                                              publicKeys:
+                                                description: |-
+                                                  Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly
+                                                  specified or can be a variable reference to a key specified in a ConfigMap (see
+                                                  https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret
+                                                  elsewhere in the cluster by specifying it in the format "k8s:///".
+                                                  The named Secret must specify a key `cosign.pub` containing the public key used for
+                                                  verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
+                                                  When multiple keys are specified each key is processed as a separate staticKey entry
+                                                  (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys.
+                                                type: string
+                                              rekor:
+                                                description: |-
+                                                  Rekor provides configuration for the Rekor transparency log service. If an empty object
+                                                  is provided the public instance of Rekor (https://rekor.sigstore.dev) is used.
+                                                properties:
+                                                  ignoreTlog:
+                                                    description: IgnoreTlog skips
+                                                      transparency log verification.
+                                                    type: boolean
+                                                  pubkey:
+                                                    description: |-
+                                                      RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
+                                                      If set, this will be used to validate transparency log signatures from a custom Rekor.
+                                                    type: string
+                                                  url:
+                                                    description: URL is the address
+                                                      of the transparency log. Defaults
+                                                      to the public Rekor log instance
+                                                      https://rekor.sigstore.dev.
+                                                    type: string
+                                                type: object
+                                              secret:
+                                                description: Reference to a Secret
+                                                  resource that contains a public
+                                                  key
+                                                properties:
+                                                  name:
+                                                    description: Name of the secret.
+                                                      The provided secret must contain
+                                                      a key named cosign.pub.
+                                                    type: string
+                                                  namespace:
+                                                    description: Namespace name where
+                                                      the Secret exists.
+                                                    type: string
+                                                required:
+                                                - name
+                                                - namespace
+                                                type: object
+                                              signatureAlgorithm:
+                                                default: sha256
+                                                description: Specify signature algorithm
+                                                  for public keys. Supported values
+                                                  are sha224, sha256, sha384 and sha512.
+                                                type: string
+                                            type: object
+                                          repository:
+                                            description: |-
+                                              Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule.
+                                              If specified Repository will override other OCI image repository locations for this Attestor.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              cosignOCI11:
+                                description: |-
+                                  CosignOCI11 enables the experimental OCI 1.1 behaviour in cosign image verification.
+                                  Defaults to false.
+                                type: boolean
+                              image:
+                                description: Deprecated. Use ImageReferences instead.
+                                type: string
+                              imageReferences:
+                                description: |-
+                                  ImageReferences is a list of matching image reference patterns. At least one pattern in the
+                                  list must match the image for the rule to apply. Each image reference consists of a registry
+                                  address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              imageRegistryCredentials:
+                                description: ImageRegistryCredentials provides credentials
+                                  that will be used for authentication with registry.
+                                properties:
+                                  allowInsecureRegistry:
+                                    description: AllowInsecureRegistry allows insecure
+                                      access to a registry.
+                                    type: boolean
+                                  providers:
+                                    description: |-
+                                      Providers specifies a list of OCI Registry names, whose authentication providers are provided.
+                                      It can be of one of these values: default,google,azure,amazon,github.
+                                    items:
+                                      description: ImageRegistryCredentialsProvidersType
+                                        provides the list of credential providers
+                                        required.
+                                      enum:
+                                      - default
+                                      - amazon
+                                      - azure
+                                      - google
+                                      - github
+                                      type: string
+                                    type: array
+                                  secrets:
+                                    description: |-
+                                      Secrets specifies a list of secrets that are provided for credentials.
+                                      Secrets must live in the Kyverno namespace.
+                                    items:
+                                      type: string
+                                    type: array
+                                type: object
+                              issuer:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              key:
+                                description: Deprecated. Use StaticKeyAttestor instead.
+                                type: string
+                              mutateDigest:
+                                default: true
+                                description: |-
+                                  MutateDigest enables replacement of image tags with digests.
+                                  Defaults to true.
+                                type: boolean
+                              repository:
+                                description: |-
+                                  Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule.
+                                  If specified Repository will override the default OCI image repository configured for the installation.
+                                  The repository can also be overridden per Attestor or Attestation.
+                                type: string
+                              required:
+                                default: true
+                                description: Required validates that images are verified
+                                  i.e. have matched passed a signature or attestation
+                                  check.
+                                type: boolean
+                              roots:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              skipImageReferences:
+                                description: |-
+                                  SkipImageReferences is a list of matching image reference patterns that should be skipped.
+                                  At least one pattern in the list must match the image for the rule to be skipped. Each image reference
+                                  consists of a registry address (defaults to docker.io), repository, image, and tag (defaults to latest).
+                                  Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                                items:
+                                  type: string
+                                type: array
+                              subject:
+                                description: Deprecated. Use KeylessAttestor instead.
+                                type: string
+                              type:
+                                description: |-
+                                  Type specifies the method of signature validation. The allowed options
+                                  are Cosign and Notary. By default Cosign is used if a type is not specified.
+                                enum:
+                                - Cosign
+                                - Notary
+                                type: string
+                              useCache:
+                                default: true
+                                description: UseCache enables caching of image verify
+                                  responses for this rule.
+                                type: boolean
+                              validationFailureAction:
+                                description: Allowed values are Audit or Enforce.
+                                enum:
+                                - Audit
+                                - Enforce
+                                type: string
+                              verifyDigest:
+                                default: true
+                                description: VerifyDigest validates that images have
+                                  a digest.
+                                type: boolean
+                            type: object
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    type: array
+                type: object
+              conditions:
+                items:
+                  description: "Condition contains details for one aspect of the current
+                    state of this API Resource.\n---\nThis struct is intended for
+                    direct use as an array at the field path .status.conditions.  For
+                    example,\n\n\n\ttype FooStatus struct{\n\t    // Represents the
+                    observations of a foo's current state.\n\t    // Known .status.conditions.type
+                    are: \"Available\", \"Progressing\", and \"Degraded\"\n\t    //
+                    +patchMergeKey=type\n\t    // +patchStrategy=merge\n\t    // +listType=map\n\t
+                    \   // +listMapKey=type\n\t    Conditions []metav1.Condition `json:\"conditions,omitempty\"
+                    patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
+                    \   // other fields\n\t}"
+                  properties:
+                    lastTransitionTime:
+                      description: |-
+                        lastTransitionTime is the last time the condition transitioned from one status to another.
+                        This should be when the underlying condition changed.  If that is not known, then using the time when the API field changed is acceptable.
+                      format: date-time
+                      type: string
+                    message:
+                      description: |-
+                        message is a human readable message indicating details about the transition.
+                        This may be an empty string.
+                      maxLength: 32768
+                      type: string
+                    observedGeneration:
+                      description: |-
+                        observedGeneration represents the .metadata.generation that the condition was set based upon.
+                        For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
+                        with respect to the current state of the instance.
+                      format: int64
+                      minimum: 0
+                      type: integer
+                    reason:
+                      description: |-
+                        reason contains a programmatic identifier indicating the reason for the condition's last transition.
+                        Producers of specific condition types may define expected values and meanings for this field,
+                        and whether the values are considered a guaranteed API.
+                        The value should be a CamelCase string.
+                        This field may not be empty.
+                      maxLength: 1024
+                      minLength: 1
+                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
+                      type: string
+                    status:
+                      description: status of the condition, one of True, False, Unknown.
+                      enum:
+                      - "True"
+                      - "False"
+                      - Unknown
+                      type: string
+                    type:
+                      description: |-
+                        type of condition in CamelCase or in foo.example.com/CamelCase.
+                        ---
+                        Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
+                        useful (see .node.status.conditions), the ability to deconflict is important.
+                        The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
+                      maxLength: 316
+                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
+                      type: string
+                  required:
+                  - lastTransitionTime
+                  - message
+                  - reason
+                  - status
+                  - type
+                  type: object
+                type: array
+              ready:
+                description: Deprecated in favor of Conditions
+                type: boolean
+              rulecount:
+                description: |-
+                  RuleCountStatus contains four variables which describes counts for
+                  validate, generate, mutate and verify images rules
+                properties:
+                  generate:
+                    description: Count for generate rules in policy
+                    type: integer
+                  mutate:
+                    description: Count for mutate rules in policy
+                    type: integer
+                  validate:
+                    description: Count for validate rules in policy
+                    type: integer
+                  verifyimages:
+                    description: Count for verify image rules in policy
+                    type: integer
+                required:
+                - generate
+                - mutate
+                - validate
+                - verifyimages
+                type: object
+              validatingadmissionpolicy:
+                description: ValidatingAdmissionPolicy contains status information
+                properties:
+                  generated:
+                    description: Generated indicates whether a validating admission
+                      policy is generated from the policy or not
+                    type: boolean
+                  message:
+                    description: |-
+                      Message is a human readable message indicating details about the generation of validating admission policy
+                      It is an empty string when validating admission policy is successfully generated.
+                    type: string
+                required:
+                - generated
+                - message
+                type: object
+            required:
+            - ready
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+    subresources:
+      status: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
new file mode 100644
index 000000000000..6b7a78be0164
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_policyexceptions.yaml
@@ -0,0 +1,1284 @@
+{{- if .Values.groups.kyverno.policyexceptions }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: policyexceptions.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: PolicyException
+    listKind: PolicyExceptionList
+    plural: policyexceptions
+    shortNames:
+    - polex
+    singular: policyexception
+  scope: Namespaced
+  versions:
+  - name: v2
+    schema:
+      openAPIV3Schema:
+        description: PolicyException declares resources to be excluded from specified
+          policies.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy exception behaviors.
+            properties:
+              background:
+                description: |-
+                  Background controls if exceptions are applied to existing policies during a background scan.
+                  Optional. Default value is "true". The value must be set to "false" if the policy rule
+                  uses variables that are only available in the admission review request (e.g. user name).
+                type: boolean
+              conditions:
+                description: |-
+                  Conditions are used to determine if a resource applies to the exception by evaluating a
+                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                properties:
+                  all:
+                    description: |-
+                      AllConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, all of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                  any:
+                    description: |-
+                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, at least one of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                type: object
+              exceptions:
+                description: Exceptions is a list policy/rules to be excluded
+                items:
+                  description: Exception stores infos about a policy and rules
+                  properties:
+                    policyName:
+                      description: |-
+                        PolicyName identifies the policy to which the exception is applied.
+                        The policy name uses the format / unless it
+                        references a ClusterPolicy.
+                      type: string
+                    ruleNames:
+                      description: RuleNames identifies the rules to which the exception
+                        is applied.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - policyName
+                  - ruleNames
+                  type: object
+                type: array
+              match:
+                description: Match defines match clause used to check if a resource
+                  applies to the exception
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              podSecurity:
+                description: |-
+                  PodSecurity specifies the Pod Security Standard controls to be excluded.
+                  Applicable only to policies that have validate.podSecurity subrule.
+                items:
+                  description: PodSecurityStandard specifies the Pod Security Standard
+                    controls to be excluded.
+                  properties:
+                    controlName:
+                      description: |-
+                        ControlName specifies the name of the Pod Security Standard control.
+                        See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                      enum:
+                      - HostProcess
+                      - Host Namespaces
+                      - Privileged Containers
+                      - Capabilities
+                      - HostPath Volumes
+                      - Host Ports
+                      - AppArmor
+                      - SELinux
+                      - /proc Mount Type
+                      - Seccomp
+                      - Sysctls
+                      - Volume Types
+                      - Privilege Escalation
+                      - Running as Non-root
+                      - Running as Non-root user
+                      type: string
+                    images:
+                      description: |-
+                        Images selects matching containers and applies the container level PSS.
+                        Each image is the image name consisting of the registry address, repository, image, and tag.
+                        Empty list matches no containers, PSS checks are applied at the pod level only.
+                        Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                      items:
+                        type: string
+                      type: array
+                    restrictedField:
+                      description: |-
+                        RestrictedField selects the field for the given Pod Security Standard control.
+                        When not set, all restricted fields for the control are selected.
+                      type: string
+                    values:
+                      description: Values defines the allowed values that can be excluded.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - controlName
+                  type: object
+                type: array
+            required:
+            - exceptions
+            - match
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+  - deprecated: true
+    name: v2beta1
+    schema:
+      openAPIV3Schema:
+        description: PolicyException declares resources to be excluded from specified
+          policies.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: Spec declares policy exception behaviors.
+            properties:
+              background:
+                description: |-
+                  Background controls if exceptions are applied to existing policies during a background scan.
+                  Optional. Default value is "true". The value must be set to "false" if the policy rule
+                  uses variables that are only available in the admission review request (e.g. user name).
+                type: boolean
+              conditions:
+                description: |-
+                  Conditions are used to determine if a resource applies to the exception by evaluating a
+                  set of conditions. The declaration can contain nested `any` or `all` statements.
+                properties:
+                  all:
+                    description: |-
+                      AllConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, all of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                  any:
+                    description: |-
+                      AnyConditions enable variable-based conditional rule execution. This is useful for
+                      finer control of when an rule is applied. A condition can reference object data
+                      using JMESPath notation.
+                      Here, at least one of the conditions need to pass.
+                    items:
+                      properties:
+                        key:
+                          description: Key is the context entry (using JMESPath) for
+                            conditional rule evaluation.
+                          x-kubernetes-preserve-unknown-fields: true
+                        message:
+                          description: Message is an optional display message
+                          type: string
+                        operator:
+                          description: |-
+                            Operator is the conditional operation to perform. Valid operators are:
+                            Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
+                            GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan,
+                            DurationLessThanOrEquals, DurationLessThan
+                          enum:
+                          - Equals
+                          - NotEquals
+                          - AnyIn
+                          - AllIn
+                          - AnyNotIn
+                          - AllNotIn
+                          - GreaterThanOrEquals
+                          - GreaterThan
+                          - LessThanOrEquals
+                          - LessThan
+                          - DurationGreaterThanOrEquals
+                          - DurationGreaterThan
+                          - DurationLessThanOrEquals
+                          - DurationLessThan
+                          type: string
+                        value:
+                          description: |-
+                            Value is the conditional value, or set of values. The values can be fixed set
+                            or can be variables declared using JMESPath.
+                          x-kubernetes-preserve-unknown-fields: true
+                      type: object
+                    type: array
+                type: object
+              exceptions:
+                description: Exceptions is a list policy/rules to be excluded
+                items:
+                  description: Exception stores infos about a policy and rules
+                  properties:
+                    policyName:
+                      description: |-
+                        PolicyName identifies the policy to which the exception is applied.
+                        The policy name uses the format / unless it
+                        references a ClusterPolicy.
+                      type: string
+                    ruleNames:
+                      description: RuleNames identifies the rules to which the exception
+                        is applied.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - policyName
+                  - ruleNames
+                  type: object
+                type: array
+              match:
+                description: Match defines match clause used to check if a resource
+                  applies to the exception
+                properties:
+                  all:
+                    description: All allows specifying resources which will be ANDed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                  any:
+                    description: Any allows specifying resources which will be ORed
+                    items:
+                      description: ResourceFilter allow users to "AND" or "OR" between
+                        resources
+                      properties:
+                        clusterRoles:
+                          description: ClusterRoles is the list of cluster-wide role
+                            names for the user.
+                          items:
+                            type: string
+                          type: array
+                        resources:
+                          description: ResourceDescription contains information about
+                            the resource being created or modified.
+                          properties:
+                            annotations:
+                              additionalProperties:
+                                type: string
+                              description: |-
+                                Annotations is a  map of annotations (key-value pairs of type string). Annotation keys
+                                and values support the wildcard characters "*" (matches zero or many characters) and
+                                "?" (matches at least one character).
+                              type: object
+                            kinds:
+                              description: Kinds is a list of resource kinds.
+                              items:
+                                type: string
+                              type: array
+                            name:
+                              description: |-
+                                Name is the name of the resource. The name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                                NOTE: "Name" is being deprecated in favor of "Names".
+                              type: string
+                            names:
+                              description: |-
+                                Names are the names of the resources. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            namespaceSelector:
+                              description: |-
+                                NamespaceSelector is a label selector for the resource namespace. Label keys and values
+                                in `matchLabels` support the wildcard characters `*` (matches zero or many characters)
+                                and `?` (matches one character).Wildcards allows writing label selectors like
+                                ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but
+                                does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                            namespaces:
+                              description: |-
+                                Namespaces is a list of namespaces names. Each name supports wildcard characters
+                                "*" (matches zero or many characters) and "?" (at least one character).
+                              items:
+                                type: string
+                              type: array
+                            operations:
+                              description: Operations can contain values ["CREATE,
+                                "UPDATE", "CONNECT", "DELETE"], which are used to
+                                match a specific action.
+                              items:
+                                description: AdmissionOperation can have one of the
+                                  values CREATE, UPDATE, CONNECT, DELETE, which are
+                                  used to match a specific action.
+                                enum:
+                                - CREATE
+                                - CONNECT
+                                - UPDATE
+                                - DELETE
+                                type: string
+                              type: array
+                            selector:
+                              description: |-
+                                Selector is a label selector. Label keys and values in `matchLabels` support the wildcard
+                                characters `*` (matches zero or many characters) and `?` (matches one character).
+                                Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that
+                                using ["*" : "*"] matches any key and value but does not match an empty label set.
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: |-
+                                      A label selector requirement is a selector that contains values, a key, and an operator that
+                                      relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: |-
+                                          operator represents a key's relationship to a set of values.
+                                          Valid operators are In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: |-
+                                          values is an array of string values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                          the values array must be empty. This array is replaced during a strategic
+                                          merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                        x-kubernetes-list-type: atomic
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                  x-kubernetes-list-type: atomic
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: |-
+                                    matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions, whose key field is "key", the
+                                    operator is "In", and the values array contains only "value". The requirements are ANDed.
+                                  type: object
+                              type: object
+                              x-kubernetes-map-type: atomic
+                          type: object
+                        roles:
+                          description: Roles is the list of namespaced role names
+                            for the user.
+                          items:
+                            type: string
+                          type: array
+                        subjects:
+                          description: Subjects is the list of subject names like
+                            users, user groups, and service accounts.
+                          items:
+                            description: |-
+                              Subject contains a reference to the object or user identities a role binding applies to.  This can either hold a direct API object reference,
+                              or a value for non-objects such as user and group names.
+                            properties:
+                              apiGroup:
+                                description: |-
+                                  APIGroup holds the API group of the referenced subject.
+                                  Defaults to "" for ServiceAccount subjects.
+                                  Defaults to "rbac.authorization.k8s.io" for User and Group subjects.
+                                type: string
+                              kind:
+                                description: |-
+                                  Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount".
+                                  If the Authorizer does not recognized the kind value, the Authorizer should report an error.
+                                type: string
+                              name:
+                                description: Name of the object being referenced.
+                                type: string
+                              namespace:
+                                description: |-
+                                  Namespace of the referenced object.  If the object kind is non-namespace, such as "User" or "Group", and this value is not empty
+                                  the Authorizer should report an error.
+                                type: string
+                            required:
+                            - kind
+                            - name
+                            type: object
+                            x-kubernetes-map-type: atomic
+                          type: array
+                      type: object
+                    type: array
+                type: object
+              podSecurity:
+                description: |-
+                  PodSecurity specifies the Pod Security Standard controls to be excluded.
+                  Applicable only to policies that have validate.podSecurity subrule.
+                items:
+                  description: PodSecurityStandard specifies the Pod Security Standard
+                    controls to be excluded.
+                  properties:
+                    controlName:
+                      description: |-
+                        ControlName specifies the name of the Pod Security Standard control.
+                        See: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+                      enum:
+                      - HostProcess
+                      - Host Namespaces
+                      - Privileged Containers
+                      - Capabilities
+                      - HostPath Volumes
+                      - Host Ports
+                      - AppArmor
+                      - SELinux
+                      - /proc Mount Type
+                      - Seccomp
+                      - Sysctls
+                      - Volume Types
+                      - Privilege Escalation
+                      - Running as Non-root
+                      - Running as Non-root user
+                      type: string
+                    images:
+                      description: |-
+                        Images selects matching containers and applies the container level PSS.
+                        Each image is the image name consisting of the registry address, repository, image, and tag.
+                        Empty list matches no containers, PSS checks are applied at the pod level only.
+                        Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
+                      items:
+                        type: string
+                      type: array
+                    restrictedField:
+                      description: |-
+                        RestrictedField selects the field for the given Pod Security Standard control.
+                        When not set, all restricted fields for the control are selected.
+                      type: string
+                    values:
+                      description: Values defines the allowed values that can be excluded.
+                      items:
+                        type: string
+                      type: array
+                  required:
+                  - controlName
+                  type: object
+                type: array
+            required:
+            - exceptions
+            - match
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: false
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
new file mode 100644
index 000000000000..030e189ccfe2
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/kyverno.io/kyverno.io_updaterequests.yaml
@@ -0,0 +1,455 @@
+{{- if .Values.groups.kyverno.updaterequests }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: updaterequests.kyverno.io
+spec:
+  group: kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: UpdateRequest
+    listKind: UpdateRequestList
+    plural: updaterequests
+    shortNames:
+    - ur
+    singular: updaterequest
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.policy
+      name: Policy
+      type: string
+    - jsonPath: .spec.requestType
+      name: RuleType
+      type: string
+    - jsonPath: .spec.resource.kind
+      name: ResourceKind
+      type: string
+    - jsonPath: .spec.resource.name
+      name: ResourceName
+      type: string
+    - jsonPath: .spec.resource.namespace
+      name: ResourceNamespace
+      type: string
+    - jsonPath: .status.state
+      name: status
+      type: string
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v2
+    schema:
+      openAPIV3Schema:
+        description: UpdateRequest is a request to process mutate and generate rules
+          in background.
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResourceSpec is the information to identify the trigger resource.
+            properties:
+              context:
+                description: |-
+                  Context represents admission request context.
+                  It is used upon admission review only and is shared across rules within the same UR.
+                properties:
+                  admissionRequestInfo:
+                    description: AdmissionRequestInfoObject stores the admission request
+                      and operation details
+                    properties:
+                      admissionRequest:
+                        description: AdmissionRequest describes the admission.Attributes
+                          for the admission request.
+                        properties:
+                          dryRun:
+                            description: |-
+                              DryRun indicates that modifications will definitely not be persisted for this request.
+                              Defaults to false.
+                            type: boolean
+                          kind:
+                            description: Kind is the fully-qualified type of object
+                              being submitted (for example, v1.Pod or autoscaling.v1.Scale)
+                            properties:
+                              group:
+                                type: string
+                              kind:
+                                type: string
+                              version:
+                                type: string
+                            required:
+                            - group
+                            - kind
+                            - version
+                            type: object
+                          name:
+                            description: |-
+                              Name is the name of the object as presented in the request.  On a CREATE operation, the client may omit name and
+                              rely on the server to generate the name.  If that is the case, this field will contain an empty string.
+                            type: string
+                          namespace:
+                            description: Namespace is the namespace associated with
+                              the request (if any).
+                            type: string
+                          object:
+                            description: Object is the object from the incoming request.
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                          oldObject:
+                            description: OldObject is the existing object. Only populated
+                              for DELETE and UPDATE requests.
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                          operation:
+                            description: |-
+                              Operation is the operation being performed. This may be different than the operation
+                              requested. e.g. a patch can result in either a CREATE or UPDATE Operation.
+                            type: string
+                          options:
+                            description: |-
+                              Options is the operation option structure of the operation being performed.
+                              e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be
+                              different than the options the caller provided. e.g. for a patch request the performed
+                              Operation might be a CREATE, in which case the Options will a
+                              `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`.
+                            type: object
+                            x-kubernetes-preserve-unknown-fields: true
+                          requestKind:
+                            description: |-
+                              RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale).
+                              If this is specified and differs from the value in "kind", an equivalent match and conversion was performed.
+
+
+                              For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+                              `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+                              an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+                              with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for),
+                              and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request).
+
+
+                              See documentation for the "matchPolicy" field in the webhook configuration type for more details.
+                            properties:
+                              group:
+                                type: string
+                              kind:
+                                type: string
+                              version:
+                                type: string
+                            required:
+                            - group
+                            - kind
+                            - version
+                            type: object
+                          requestResource:
+                            description: |-
+                              RequestResource is the fully-qualified resource of the original API request (for example, v1.pods).
+                              If this is specified and differs from the value in "resource", an equivalent match and conversion was performed.
+
+
+                              For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of
+                              `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`,
+                              an API request to apps/v1beta1 deployments would be converted and sent to the webhook
+                              with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for),
+                              and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request).
+
+
+                              See documentation for the "matchPolicy" field in the webhook configuration type.
+                            properties:
+                              group:
+                                type: string
+                              resource:
+                                type: string
+                              version:
+                                type: string
+                            required:
+                            - group
+                            - resource
+                            - version
+                            type: object
+                          requestSubResource:
+                            description: |-
+                              RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale")
+                              If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed.
+                              See documentation for the "matchPolicy" field in the webhook configuration type.
+                            type: string
+                          resource:
+                            description: Resource is the fully-qualified resource
+                              being requested (for example, v1.pods)
+                            properties:
+                              group:
+                                type: string
+                              resource:
+                                type: string
+                              version:
+                                type: string
+                            required:
+                            - group
+                            - resource
+                            - version
+                            type: object
+                          subResource:
+                            description: SubResource is the subresource being requested,
+                              if any (for example, "status" or "scale")
+                            type: string
+                          uid:
+                            description: |-
+                              UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are
+                              otherwise identical (parallel requests, requests when earlier requests did not modify etc)
+                              The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request.
+                              It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
+                            type: string
+                          userInfo:
+                            description: UserInfo is information about the requesting
+                              user
+                            properties:
+                              extra:
+                                additionalProperties:
+                                  description: ExtraValue masks the value so protobuf
+                                    can generate
+                                  items:
+                                    type: string
+                                  type: array
+                                description: Any additional information provided by
+                                  the authenticator.
+                                type: object
+                              groups:
+                                description: The names of groups this user is a part
+                                  of.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                              uid:
+                                description: |-
+                                  A unique value that identifies this user across time. If this user is
+                                  deleted and another user by the same name is added, they will have
+                                  different UIDs.
+                                type: string
+                              username:
+                                description: The name that uniquely identifies this
+                                  user among all active users.
+                                type: string
+                            type: object
+                        required:
+                        - kind
+                        - operation
+                        - resource
+                        - uid
+                        - userInfo
+                        type: object
+                      operation:
+                        description: Operation is the type of resource operation being
+                          checked for admission control
+                        type: string
+                    type: object
+                  userInfo:
+                    description: RequestInfo contains permission info carried in an
+                      admission request.
+                    properties:
+                      clusterRoles:
+                        description: ClusterRoles is a list of possible clusterRoles
+                          send the request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      roles:
+                        description: Roles is a list of possible role send the request.
+                        items:
+                          type: string
+                        nullable: true
+                        type: array
+                      userInfo:
+                        description: UserInfo is the userInfo carried in the admission
+                          request.
+                        properties:
+                          extra:
+                            additionalProperties:
+                              description: ExtraValue masks the value so protobuf
+                                can generate
+                              items:
+                                type: string
+                              type: array
+                            description: Any additional information provided by the
+                              authenticator.
+                            type: object
+                          groups:
+                            description: The names of groups this user is a part of.
+                            items:
+                              type: string
+                            type: array
+                            x-kubernetes-list-type: atomic
+                          uid:
+                            description: |-
+                              A unique value that identifies this user across time. If this user is
+                              deleted and another user by the same name is added, they will have
+                              different UIDs.
+                            type: string
+                          username:
+                            description: The name that uniquely identifies this user
+                              among all active users.
+                            type: string
+                        type: object
+                    type: object
+                type: object
+              deleteDownstream:
+                description: |-
+                  DeleteDownstream represents whether the downstream needs to be deleted.
+                  Deprecated
+                type: boolean
+              policy:
+                description: Specifies the name of the policy.
+                type: string
+              requestType:
+                description: Type represents request type for background processing
+                enum:
+                - mutate
+                - generate
+                type: string
+              resource:
+                description: ResourceSpec is the information to identify the trigger
+                  resource.
+                properties:
+                  apiVersion:
+                    description: APIVersion specifies resource apiVersion.
+                    type: string
+                  kind:
+                    description: Kind specifies resource kind.
+                    type: string
+                  name:
+                    description: Name specifies the resource name.
+                    type: string
+                  namespace:
+                    description: Namespace specifies resource namespace.
+                    type: string
+                  uid:
+                    description: UID specifies the resource uid.
+                    type: string
+                type: object
+              rule:
+                description: Rule is the associate rule name of the current UR.
+                type: string
+              ruleContext:
+                description: |-
+                  RuleContext is the associate context to apply rules.
+                  optional
+                items:
+                  properties:
+                    deleteDownstream:
+                      description: DeleteDownstream represents whether the downstream
+                        needs to be deleted.
+                      type: boolean
+                    rule:
+                      description: Rule is the associate rule name of the current
+                        UR.
+                      type: string
+                    synchronize:
+                      description: |-
+                        Synchronize represents the sync behavior of the corresponding rule
+                        Optional. Defaults to "false" if not specified.
+                      type: boolean
+                    trigger:
+                      description: ResourceSpec is the information to identify the
+                        trigger resource.
+                      properties:
+                        apiVersion:
+                          description: APIVersion specifies resource apiVersion.
+                          type: string
+                        kind:
+                          description: Kind specifies resource kind.
+                          type: string
+                        name:
+                          description: Name specifies the resource name.
+                          type: string
+                        namespace:
+                          description: Namespace specifies resource namespace.
+                          type: string
+                        uid:
+                          description: UID specifies the resource uid.
+                          type: string
+                      type: object
+                  required:
+                  - deleteDownstream
+                  - rule
+                  - trigger
+                  type: object
+                type: array
+              synchronize:
+                description: |-
+                  Synchronize represents the sync behavior of the corresponding rule
+                  Optional. Defaults to "false" if not specified.
+                  Deprecated, will be removed in 1.14.
+                type: boolean
+            required:
+            - context
+            - deleteDownstream
+            - policy
+            - resource
+            - rule
+            type: object
+          status:
+            description: Status contains statistics related to update request.
+            properties:
+              generatedResources:
+                description: |-
+                  This will track the resources that are updated by the generate Policy.
+                  Will be used during clean up resources.
+                items:
+                  properties:
+                    apiVersion:
+                      description: APIVersion specifies resource apiVersion.
+                      type: string
+                    kind:
+                      description: Kind specifies resource kind.
+                      type: string
+                    name:
+                      description: Name specifies the resource name.
+                      type: string
+                    namespace:
+                      description: Namespace specifies resource namespace.
+                      type: string
+                    uid:
+                      description: UID specifies the resource uid.
+                      type: string
+                  type: object
+                type: array
+              message:
+                description: Specifies request status message.
+                type: string
+              retryCount:
+                type: integer
+              state:
+                description: State represents state of the update request.
+                type: string
+            required:
+            - state
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
new file mode 100644
index 000000000000..e559c4ec9cbb
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_clusterephemeralreports.yaml
@@ -0,0 +1,359 @@
+{{- if .Values.groups.reports.clusterephemeralreports }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: clusterephemeralreports.reports.kyverno.io
+spec:
+  group: reports.kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: ClusterEphemeralReport
+    listKind: ClusterEphemeralReportList
+    plural: clusterephemeralreports
+    shortNames:
+    - cephr
+    singular: clusterephemeralreport
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/source']
+      name: Source
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
+      name: Group
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
+      name: Kind
+      type: string
+    - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
+      name: Owner
+      type: string
+    - jsonPath: .spec.summary.pass
+      name: Pass
+      type: integer
+    - jsonPath: .spec.summary.fail
+      name: Fail
+      type: integer
+    - jsonPath: .spec.summary.warn
+      name: Warn
+      type: integer
+    - jsonPath: .spec.summary.error
+      name: Error
+      type: integer
+    - jsonPath: .spec.summary.skip
+      name: Skip
+      type: integer
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
+      name: Uid
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
+      name: Hash
+      priority: 1
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: ClusterEphemeralReport is the Schema for the ClusterEphemeralReports
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              owner:
+                description: Owner is a reference to the report owner (e.g. a Deployment,
+                  Namespace, or Node)
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  blockOwnerDeletion:
+                    description: |-
+                      If true, AND if the owner has the "foregroundDeletion" finalizer, then
+                      the owner cannot be deleted from the key-value store until this
+                      reference is removed.
+                      See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                      for how the garbage collector interacts with this field and enforces the foreground deletion.
+                      Defaults to false.
+                      To set this field, a user needs "delete" permission of the owner,
+                      otherwise 422 (Unprocessable Entity) will be returned.
+                    type: boolean
+                  controller:
+                    description: If true, this reference points to the managing controller.
+                    type: boolean
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+                    type: string
+                required:
+                - apiVersion
+                - kind
+                - name
+                - uid
+                type: object
+                x-kubernetes-map-type: atomic
+              results:
+                description: PolicyReportResult provides result details
+                items:
+                  description: PolicyReportResult provides the result for an individual
+                    policy
+                  properties:
+                    category:
+                      description: Category indicates policy category
+                      type: string
+                    message:
+                      description: Description is a short user friendly message for
+                        the policy rule
+                      type: string
+                    policy:
+                      description: Policy is the name or identifier of the policy
+                      type: string
+                    properties:
+                      additionalProperties:
+                        type: string
+                      description: Properties provides additional information for
+                        the policy rule
+                      type: object
+                    resourceSelector:
+                      description: |-
+                        SubjectSelector is an optional label selector for checked Kubernetes resources.
+                        For example, a policy result may apply to all pods that match a label.
+                        Either a Subject or a SubjectSelector can be specified.
+                        If neither are provided, the result is assumed to be for the policy report scope.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    resources:
+                      description: Subjects is an optional reference to the checked
+                        Kubernetes resources
+                      items:
+                        description: |-
+                          ObjectReference contains enough information to let you inspect or modify the referred object.
+                          ---
+                          New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                           1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                           2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                              restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                              Those cannot be well described when embedded.
+                           3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                           4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                              during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                           5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                              will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                          Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                          For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                              TODO: this design is not final and this field is subject to change in the future.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          resourceVersion:
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                            type: string
+                          uid:
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      type: array
+                    result:
+                      description: Result indicates the outcome of the policy rule
+                        execution
+                      enum:
+                      - pass
+                      - fail
+                      - warn
+                      - error
+                      - skip
+                      type: string
+                    rule:
+                      description: Rule is the name or identifier of the rule within
+                        the policy
+                      type: string
+                    scored:
+                      description: Scored indicates if this result is scored
+                      type: boolean
+                    severity:
+                      description: Severity indicates policy check result criticality
+                      enum:
+                      - critical
+                      - high
+                      - low
+                      - medium
+                      - info
+                      type: string
+                    source:
+                      description: Source is an identifier for the policy engine that
+                        manages this report
+                      type: string
+                    timestamp:
+                      description: Timestamp indicates the time the result was found
+                      properties:
+                        nanos:
+                          description: |-
+                            Non-negative fractions of a second at nanosecond resolution. Negative
+                            second values with fractions must still have non-negative nanos values
+                            that count forward in time. Must be from 0 to 999,999,999
+                            inclusive. This field may be limited in precision depending on context.
+                          format: int32
+                          type: integer
+                        seconds:
+                          description: |-
+                            Represents seconds of UTC time since Unix epoch
+                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+                            9999-12-31T23:59:59Z inclusive.
+                          format: int64
+                          type: integer
+                      required:
+                      - nanos
+                      - seconds
+                      type: object
+                  required:
+                  - policy
+                  type: object
+                type: array
+              summary:
+                description: PolicyReportSummary provides a summary of results
+                properties:
+                  error:
+                    description: Error provides the count of policies that could not
+                      be evaluated
+                    type: integer
+                  fail:
+                    description: Fail provides the count of policies whose requirements
+                      were not met
+                    type: integer
+                  pass:
+                    description: Pass provides the count of policies whose requirements
+                      were met
+                    type: integer
+                  skip:
+                    description: Skip indicates the count of policies that were not
+                      selected for evaluation
+                    type: integer
+                  warn:
+                    description: Warn provides the count of non-scored policies whose
+                      requirements were not met
+                    type: integer
+                type: object
+            required:
+            - owner
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
new file mode 100644
index 000000000000..c157a952118d
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/reports.kyverno.io/reports.kyverno.io_ephemeralreports.yaml
@@ -0,0 +1,359 @@
+{{- if .Values.groups.reports.ephemeralreports }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: ephemeralreports.reports.kyverno.io
+spec:
+  group: reports.kyverno.io
+  names:
+    categories:
+    - kyverno
+    kind: EphemeralReport
+    listKind: EphemeralReportList
+    plural: ephemeralreports
+    shortNames:
+    - ephr
+    singular: ephemeralreport
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/source']
+      name: Source
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.group']
+      name: Group
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.kind']
+      name: Kind
+      type: string
+    - jsonPath: .metadata.annotations['audit\.kyverno\.io/resource\.name']
+      name: Owner
+      type: string
+    - jsonPath: .spec.summary.pass
+      name: Pass
+      type: integer
+    - jsonPath: .spec.summary.fail
+      name: Fail
+      type: integer
+    - jsonPath: .spec.summary.warn
+      name: Warn
+      type: integer
+    - jsonPath: .spec.summary.error
+      name: Error
+      type: integer
+    - jsonPath: .spec.summary.skip
+      name: Skip
+      type: integer
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.uid']
+      name: Uid
+      priority: 1
+      type: string
+    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
+      name: Hash
+      priority: 1
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: EphemeralReport is the Schema for the EphemeralReports API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              owner:
+                description: Owner is a reference to the report owner (e.g. a Deployment,
+                  Namespace, or Node)
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  blockOwnerDeletion:
+                    description: |-
+                      If true, AND if the owner has the "foregroundDeletion" finalizer, then
+                      the owner cannot be deleted from the key-value store until this
+                      reference is removed.
+                      See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
+                      for how the garbage collector interacts with this field and enforces the foreground deletion.
+                      Defaults to false.
+                      To set this field, a user needs "delete" permission of the owner,
+                      otherwise 422 (Unprocessable Entity) will be returned.
+                    type: boolean
+                  controller:
+                    description: If true, this reference points to the managing controller.
+                    type: boolean
+                  kind:
+                    description: |-
+                      Kind of the referent.
+                      More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                    type: string
+                  name:
+                    description: |-
+                      Name of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names
+                    type: string
+                  uid:
+                    description: |-
+                      UID of the referent.
+                      More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids
+                    type: string
+                required:
+                - apiVersion
+                - kind
+                - name
+                - uid
+                type: object
+                x-kubernetes-map-type: atomic
+              results:
+                description: PolicyReportResult provides result details
+                items:
+                  description: PolicyReportResult provides the result for an individual
+                    policy
+                  properties:
+                    category:
+                      description: Category indicates policy category
+                      type: string
+                    message:
+                      description: Description is a short user friendly message for
+                        the policy rule
+                      type: string
+                    policy:
+                      description: Policy is the name or identifier of the policy
+                      type: string
+                    properties:
+                      additionalProperties:
+                        type: string
+                      description: Properties provides additional information for
+                        the policy rule
+                      type: object
+                    resourceSelector:
+                      description: |-
+                        SubjectSelector is an optional label selector for checked Kubernetes resources.
+                        For example, a policy result may apply to all pods that match a label.
+                        Either a Subject or a SubjectSelector can be specified.
+                        If neither are provided, the result is assumed to be for the policy report scope.
+                      properties:
+                        matchExpressions:
+                          description: matchExpressions is a list of label selector
+                            requirements. The requirements are ANDed.
+                          items:
+                            description: |-
+                              A label selector requirement is a selector that contains values, a key, and an operator that
+                              relates the key and values.
+                            properties:
+                              key:
+                                description: key is the label key that the selector
+                                  applies to.
+                                type: string
+                              operator:
+                                description: |-
+                                  operator represents a key's relationship to a set of values.
+                                  Valid operators are In, NotIn, Exists and DoesNotExist.
+                                type: string
+                              values:
+                                description: |-
+                                  values is an array of string values. If the operator is In or NotIn,
+                                  the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                                  the values array must be empty. This array is replaced during a strategic
+                                  merge patch.
+                                items:
+                                  type: string
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - key
+                            - operator
+                            type: object
+                          type: array
+                          x-kubernetes-list-type: atomic
+                        matchLabels:
+                          additionalProperties:
+                            type: string
+                          description: |-
+                            matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                            map is equivalent to an element of matchExpressions, whose key field is "key", the
+                            operator is "In", and the values array contains only "value". The requirements are ANDed.
+                          type: object
+                      type: object
+                      x-kubernetes-map-type: atomic
+                    resources:
+                      description: Subjects is an optional reference to the checked
+                        Kubernetes resources
+                      items:
+                        description: |-
+                          ObjectReference contains enough information to let you inspect or modify the referred object.
+                          ---
+                          New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                           1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                           2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                              restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                              Those cannot be well described when embedded.
+                           3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                           4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                              during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                              and the version of the actual struct is irrelevant.
+                           5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                              will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                          Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                          For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+                        properties:
+                          apiVersion:
+                            description: API version of the referent.
+                            type: string
+                          fieldPath:
+                            description: |-
+                              If referring to a piece of an object instead of an entire object, this string
+                              should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                              For example, if the object reference is to a container within a pod, this would take on a value like:
+                              "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                              the event) or if no container name is specified "spec.containers[2]" (container with
+                              index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                              referencing a part of an object.
+                              TODO: this design is not final and this field is subject to change in the future.
+                            type: string
+                          kind:
+                            description: |-
+                              Kind of the referent.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                            type: string
+                          name:
+                            description: |-
+                              Name of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                            type: string
+                          namespace:
+                            description: |-
+                              Namespace of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                            type: string
+                          resourceVersion:
+                            description: |-
+                              Specific resourceVersion to which this reference is made, if any.
+                              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                            type: string
+                          uid:
+                            description: |-
+                              UID of the referent.
+                              More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                            type: string
+                        type: object
+                        x-kubernetes-map-type: atomic
+                      type: array
+                    result:
+                      description: Result indicates the outcome of the policy rule
+                        execution
+                      enum:
+                      - pass
+                      - fail
+                      - warn
+                      - error
+                      - skip
+                      type: string
+                    rule:
+                      description: Rule is the name or identifier of the rule within
+                        the policy
+                      type: string
+                    scored:
+                      description: Scored indicates if this result is scored
+                      type: boolean
+                    severity:
+                      description: Severity indicates policy check result criticality
+                      enum:
+                      - critical
+                      - high
+                      - low
+                      - medium
+                      - info
+                      type: string
+                    source:
+                      description: Source is an identifier for the policy engine that
+                        manages this report
+                      type: string
+                    timestamp:
+                      description: Timestamp indicates the time the result was found
+                      properties:
+                        nanos:
+                          description: |-
+                            Non-negative fractions of a second at nanosecond resolution. Negative
+                            second values with fractions must still have non-negative nanos values
+                            that count forward in time. Must be from 0 to 999,999,999
+                            inclusive. This field may be limited in precision depending on context.
+                          format: int32
+                          type: integer
+                        seconds:
+                          description: |-
+                            Represents seconds of UTC time since Unix epoch
+                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+                            9999-12-31T23:59:59Z inclusive.
+                          format: int64
+                          type: integer
+                      required:
+                      - nanos
+                      - seconds
+                      type: object
+                  required:
+                  - policy
+                  type: object
+                type: array
+              summary:
+                description: PolicyReportSummary provides a summary of results
+                properties:
+                  error:
+                    description: Error provides the count of policies that could not
+                      be evaluated
+                    type: integer
+                  fail:
+                    description: Fail provides the count of policies whose requirements
+                      were not met
+                    type: integer
+                  pass:
+                    description: Pass provides the count of policies whose requirements
+                      were met
+                    type: integer
+                  skip:
+                    description: Skip indicates the count of policies that were not
+                      selected for evaluation
+                    type: integer
+                  warn:
+                    description: Warn provides the count of non-scored policies whose
+                      requirements were not met
+                    type: integer
+                type: object
+            required:
+            - owner
+            type: object
+        required:
+        - spec
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
new file mode 100644
index 000000000000..f5274f2a8528
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_clusterpolicyreports.yaml
@@ -0,0 +1,386 @@
+{{- if .Values.groups.wgpolicyk8s.clusterpolicyreports }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: clusterpolicyreports.wgpolicyk8s.io
+spec:
+  group: wgpolicyk8s.io
+  names:
+    kind: ClusterPolicyReport
+    listKind: ClusterPolicyReportList
+    plural: clusterpolicyreports
+    shortNames:
+    - cpolr
+    singular: clusterpolicyreport
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .scope.kind
+      name: Kind
+      type: string
+    - jsonPath: .scope.name
+      name: Name
+      type: string
+    - jsonPath: .summary.pass
+      name: Pass
+      type: integer
+    - jsonPath: .summary.fail
+      name: Fail
+      type: integer
+    - jsonPath: .summary.warn
+      name: Warn
+      type: integer
+    - jsonPath: .summary.error
+      name: Error
+      type: integer
+    - jsonPath: .summary.skip
+      name: Skip
+      type: integer
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: ClusterPolicyReport is the Schema for the clusterpolicyreports
+          API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          results:
+            description: PolicyReportResult provides result details
+            items:
+              description: PolicyReportResult provides the result for an individual
+                policy
+              properties:
+                category:
+                  description: Category indicates policy category
+                  type: string
+                message:
+                  description: Description is a short user friendly message for the
+                    policy rule
+                  type: string
+                policy:
+                  description: Policy is the name or identifier of the policy
+                  type: string
+                properties:
+                  additionalProperties:
+                    type: string
+                  description: Properties provides additional information for the
+                    policy rule
+                  type: object
+                resourceSelector:
+                  description: |-
+                    SubjectSelector is an optional label selector for checked Kubernetes resources.
+                    For example, a policy result may apply to all pods that match a label.
+                    Either a Subject or a SubjectSelector can be specified.
+                    If neither are provided, the result is assumed to be for the policy report scope.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: |-
+                          A label selector requirement is a selector that contains values, a key, and an operator that
+                          relates the key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: |-
+                              operator represents a key's relationship to a set of values.
+                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                            type: string
+                          values:
+                            description: |-
+                              values is an array of string values. If the operator is In or NotIn,
+                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                              the values array must be empty. This array is replaced during a strategic
+                              merge patch.
+                            items:
+                              type: string
+                            type: array
+                            x-kubernetes-list-type: atomic
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: |-
+                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                      type: object
+                  type: object
+                  x-kubernetes-map-type: atomic
+                resources:
+                  description: Subjects is an optional reference to the checked Kubernetes
+                    resources
+                  items:
+                    description: |-
+                      ObjectReference contains enough information to let you inspect or modify the referred object.
+                      ---
+                      New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                       1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                       2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                          restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                          Those cannot be well described when embedded.
+                       3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                       4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                          during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                          and the version of the actual struct is irrelevant.
+                       5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                          will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                      Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                      For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: |-
+                          If referring to a piece of an object instead of an entire object, this string
+                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within a pod, this would take on a value like:
+                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]" (container with
+                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                          referencing a part of an object.
+                          TODO: this design is not final and this field is subject to change in the future.
+                        type: string
+                      kind:
+                        description: |-
+                          Kind of the referent.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      namespace:
+                        description: |-
+                          Namespace of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                        type: string
+                      resourceVersion:
+                        description: |-
+                          Specific resourceVersion to which this reference is made, if any.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                        type: string
+                      uid:
+                        description: |-
+                          UID of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  type: array
+                result:
+                  description: Result indicates the outcome of the policy rule execution
+                  enum:
+                  - pass
+                  - fail
+                  - warn
+                  - error
+                  - skip
+                  type: string
+                rule:
+                  description: Rule is the name or identifier of the rule within the
+                    policy
+                  type: string
+                scored:
+                  description: Scored indicates if this result is scored
+                  type: boolean
+                severity:
+                  description: Severity indicates policy check result criticality
+                  enum:
+                  - critical
+                  - high
+                  - low
+                  - medium
+                  - info
+                  type: string
+                source:
+                  description: Source is an identifier for the policy engine that
+                    manages this report
+                  type: string
+                timestamp:
+                  description: Timestamp indicates the time the result was found
+                  properties:
+                    nanos:
+                      description: |-
+                        Non-negative fractions of a second at nanosecond resolution. Negative
+                        second values with fractions must still have non-negative nanos values
+                        that count forward in time. Must be from 0 to 999,999,999
+                        inclusive. This field may be limited in precision depending on context.
+                      format: int32
+                      type: integer
+                    seconds:
+                      description: |-
+                        Represents seconds of UTC time since Unix epoch
+                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+                        9999-12-31T23:59:59Z inclusive.
+                      format: int64
+                      type: integer
+                  required:
+                  - nanos
+                  - seconds
+                  type: object
+              required:
+              - policy
+              type: object
+            type: array
+          scope:
+            description: Scope is an optional reference to the report scope (e.g.
+              a Deployment, Namespace, or Node)
+            properties:
+              apiVersion:
+                description: API version of the referent.
+                type: string
+              fieldPath:
+                description: |-
+                  If referring to a piece of an object instead of an entire object, this string
+                  should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                  For example, if the object reference is to a container within a pod, this would take on a value like:
+                  "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                  the event) or if no container name is specified "spec.containers[2]" (container with
+                  index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                  referencing a part of an object.
+                  TODO: this design is not final and this field is subject to change in the future.
+                type: string
+              kind:
+                description: |-
+                  Kind of the referent.
+                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                type: string
+              name:
+                description: |-
+                  Name of the referent.
+                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                type: string
+              namespace:
+                description: |-
+                  Namespace of the referent.
+                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                type: string
+              resourceVersion:
+                description: |-
+                  Specific resourceVersion to which this reference is made, if any.
+                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                type: string
+              uid:
+                description: |-
+                  UID of the referent.
+                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                type: string
+            type: object
+            x-kubernetes-map-type: atomic
+          scopeSelector:
+            description: |-
+              ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
+              Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+            properties:
+              matchExpressions:
+                description: matchExpressions is a list of label selector requirements.
+                  The requirements are ANDed.
+                items:
+                  description: |-
+                    A label selector requirement is a selector that contains values, a key, and an operator that
+                    relates the key and values.
+                  properties:
+                    key:
+                      description: key is the label key that the selector applies
+                        to.
+                      type: string
+                    operator:
+                      description: |-
+                        operator represents a key's relationship to a set of values.
+                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                      type: string
+                    values:
+                      description: |-
+                        values is an array of string values. If the operator is In or NotIn,
+                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                        the values array must be empty. This array is replaced during a strategic
+                        merge patch.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                  required:
+                  - key
+                  - operator
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              matchLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                type: object
+            type: object
+            x-kubernetes-map-type: atomic
+          summary:
+            description: PolicyReportSummary provides a summary of results
+            properties:
+              error:
+                description: Error provides the count of policies that could not be
+                  evaluated
+                type: integer
+              fail:
+                description: Fail provides the count of policies whose requirements
+                  were not met
+                type: integer
+              pass:
+                description: Pass provides the count of policies whose requirements
+                  were met
+                type: integer
+              skip:
+                description: Skip indicates the count of policies that were not selected
+                  for evaluation
+                type: integer
+              warn:
+                description: Warn provides the count of non-scored policies whose
+                  requirements were not met
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
new file mode 100644
index 000000000000..5fa9ffd4cfe2
--- /dev/null
+++ b/charts/kyverno/charts/crds/templates/wgpolicyk8s.io/wgpolicyk8s.io_policyreports.yaml
@@ -0,0 +1,385 @@
+{{- if .Values.groups.wgpolicyk8s.policyreports }}
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  labels:
+    {{- include "kyverno.crds.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    controller-gen.kubebuilder.io/version: v0.15.0
+  name: policyreports.wgpolicyk8s.io
+spec:
+  group: wgpolicyk8s.io
+  names:
+    kind: PolicyReport
+    listKind: PolicyReportList
+    plural: policyreports
+    shortNames:
+    - polr
+    singular: policyreport
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .scope.kind
+      name: Kind
+      type: string
+    - jsonPath: .scope.name
+      name: Name
+      type: string
+    - jsonPath: .summary.pass
+      name: Pass
+      type: integer
+    - jsonPath: .summary.fail
+      name: Fail
+      type: integer
+    - jsonPath: .summary.warn
+      name: Warn
+      type: integer
+    - jsonPath: .summary.error
+      name: Error
+      type: integer
+    - jsonPath: .summary.skip
+      name: Skip
+      type: integer
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    name: v1alpha2
+    schema:
+      openAPIV3Schema:
+        description: PolicyReport is the Schema for the policyreports API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          results:
+            description: PolicyReportResult provides result details
+            items:
+              description: PolicyReportResult provides the result for an individual
+                policy
+              properties:
+                category:
+                  description: Category indicates policy category
+                  type: string
+                message:
+                  description: Description is a short user friendly message for the
+                    policy rule
+                  type: string
+                policy:
+                  description: Policy is the name or identifier of the policy
+                  type: string
+                properties:
+                  additionalProperties:
+                    type: string
+                  description: Properties provides additional information for the
+                    policy rule
+                  type: object
+                resourceSelector:
+                  description: |-
+                    SubjectSelector is an optional label selector for checked Kubernetes resources.
+                    For example, a policy result may apply to all pods that match a label.
+                    Either a Subject or a SubjectSelector can be specified.
+                    If neither are provided, the result is assumed to be for the policy report scope.
+                  properties:
+                    matchExpressions:
+                      description: matchExpressions is a list of label selector requirements.
+                        The requirements are ANDed.
+                      items:
+                        description: |-
+                          A label selector requirement is a selector that contains values, a key, and an operator that
+                          relates the key and values.
+                        properties:
+                          key:
+                            description: key is the label key that the selector applies
+                              to.
+                            type: string
+                          operator:
+                            description: |-
+                              operator represents a key's relationship to a set of values.
+                              Valid operators are In, NotIn, Exists and DoesNotExist.
+                            type: string
+                          values:
+                            description: |-
+                              values is an array of string values. If the operator is In or NotIn,
+                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                              the values array must be empty. This array is replaced during a strategic
+                              merge patch.
+                            items:
+                              type: string
+                            type: array
+                            x-kubernetes-list-type: atomic
+                        required:
+                        - key
+                        - operator
+                        type: object
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: |-
+                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                        map is equivalent to an element of matchExpressions, whose key field is "key", the
+                        operator is "In", and the values array contains only "value". The requirements are ANDed.
+                      type: object
+                  type: object
+                  x-kubernetes-map-type: atomic
+                resources:
+                  description: Subjects is an optional reference to the checked Kubernetes
+                    resources
+                  items:
+                    description: |-
+                      ObjectReference contains enough information to let you inspect or modify the referred object.
+                      ---
+                      New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs.
+                       1. Ignored fields.  It includes many fields which are not generally honored.  For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage.
+                       2. Invalid usage help.  It is impossible to add specific help for individual usage.  In most embedded usages, there are particular
+                          restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted".
+                          Those cannot be well described when embedded.
+                       3. Inconsistent validation.  Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen.
+                       4. The fields are both imprecise and overly precise.  Kind is not a precise mapping to a URL. This can produce ambiguity
+                          during interpretation and require a REST mapping.  In most cases, the dependency is on the group,resource tuple
+                          and the version of the actual struct is irrelevant.
+                       5. We cannot easily change it.  Because this type is embedded in many locations, updates to this type
+                          will affect numerous schemas.  Don't make new APIs embed an underspecified API type they do not control.
+
+
+                      Instead of using this type, create a locally provided and used type that is well-focused on your reference.
+                      For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 .
+                    properties:
+                      apiVersion:
+                        description: API version of the referent.
+                        type: string
+                      fieldPath:
+                        description: |-
+                          If referring to a piece of an object instead of an entire object, this string
+                          should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                          For example, if the object reference is to a container within a pod, this would take on a value like:
+                          "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                          the event) or if no container name is specified "spec.containers[2]" (container with
+                          index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                          referencing a part of an object.
+                          TODO: this design is not final and this field is subject to change in the future.
+                        type: string
+                      kind:
+                        description: |-
+                          Kind of the referent.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                        type: string
+                      name:
+                        description: |-
+                          Name of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      namespace:
+                        description: |-
+                          Namespace of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                        type: string
+                      resourceVersion:
+                        description: |-
+                          Specific resourceVersion to which this reference is made, if any.
+                          More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                        type: string
+                      uid:
+                        description: |-
+                          UID of the referent.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                        type: string
+                    type: object
+                    x-kubernetes-map-type: atomic
+                  type: array
+                result:
+                  description: Result indicates the outcome of the policy rule execution
+                  enum:
+                  - pass
+                  - fail
+                  - warn
+                  - error
+                  - skip
+                  type: string
+                rule:
+                  description: Rule is the name or identifier of the rule within the
+                    policy
+                  type: string
+                scored:
+                  description: Scored indicates if this result is scored
+                  type: boolean
+                severity:
+                  description: Severity indicates policy check result criticality
+                  enum:
+                  - critical
+                  - high
+                  - low
+                  - medium
+                  - info
+                  type: string
+                source:
+                  description: Source is an identifier for the policy engine that
+                    manages this report
+                  type: string
+                timestamp:
+                  description: Timestamp indicates the time the result was found
+                  properties:
+                    nanos:
+                      description: |-
+                        Non-negative fractions of a second at nanosecond resolution. Negative
+                        second values with fractions must still have non-negative nanos values
+                        that count forward in time. Must be from 0 to 999,999,999
+                        inclusive. This field may be limited in precision depending on context.
+                      format: int32
+                      type: integer
+                    seconds:
+                      description: |-
+                        Represents seconds of UTC time since Unix epoch
+                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
+                        9999-12-31T23:59:59Z inclusive.
+                      format: int64
+                      type: integer
+                  required:
+                  - nanos
+                  - seconds
+                  type: object
+              required:
+              - policy
+              type: object
+            type: array
+          scope:
+            description: Scope is an optional reference to the report scope (e.g.
+              a Deployment, Namespace, or Node)
+            properties:
+              apiVersion:
+                description: API version of the referent.
+                type: string
+              fieldPath:
+                description: |-
+                  If referring to a piece of an object instead of an entire object, this string
+                  should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2].
+                  For example, if the object reference is to a container within a pod, this would take on a value like:
+                  "spec.containers{name}" (where "name" refers to the name of the container that triggered
+                  the event) or if no container name is specified "spec.containers[2]" (container with
+                  index 2 in this pod). This syntax is chosen only to have some well-defined way of
+                  referencing a part of an object.
+                  TODO: this design is not final and this field is subject to change in the future.
+                type: string
+              kind:
+                description: |-
+                  Kind of the referent.
+                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+                type: string
+              name:
+                description: |-
+                  Name of the referent.
+                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                type: string
+              namespace:
+                description: |-
+                  Namespace of the referent.
+                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
+                type: string
+              resourceVersion:
+                description: |-
+                  Specific resourceVersion to which this reference is made, if any.
+                  More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency
+                type: string
+              uid:
+                description: |-
+                  UID of the referent.
+                  More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids
+                type: string
+            type: object
+            x-kubernetes-map-type: atomic
+          scopeSelector:
+            description: |-
+              ScopeSelector is an optional selector for multiple scopes (e.g. Pods).
+              Either one of, or none of, but not both of, Scope or ScopeSelector should be specified.
+            properties:
+              matchExpressions:
+                description: matchExpressions is a list of label selector requirements.
+                  The requirements are ANDed.
+                items:
+                  description: |-
+                    A label selector requirement is a selector that contains values, a key, and an operator that
+                    relates the key and values.
+                  properties:
+                    key:
+                      description: key is the label key that the selector applies
+                        to.
+                      type: string
+                    operator:
+                      description: |-
+                        operator represents a key's relationship to a set of values.
+                        Valid operators are In, NotIn, Exists and DoesNotExist.
+                      type: string
+                    values:
+                      description: |-
+                        values is an array of string values. If the operator is In or NotIn,
+                        the values array must be non-empty. If the operator is Exists or DoesNotExist,
+                        the values array must be empty. This array is replaced during a strategic
+                        merge patch.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                  required:
+                  - key
+                  - operator
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              matchLabels:
+                additionalProperties:
+                  type: string
+                description: |-
+                  matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+                  map is equivalent to an element of matchExpressions, whose key field is "key", the
+                  operator is "In", and the values array contains only "value". The requirements are ANDed.
+                type: object
+            type: object
+            x-kubernetes-map-type: atomic
+          summary:
+            description: PolicyReportSummary provides a summary of results
+            properties:
+              error:
+                description: Error provides the count of policies that could not be
+                  evaluated
+                type: integer
+              fail:
+                description: Fail provides the count of policies whose requirements
+                  were not met
+                type: integer
+              pass:
+                description: Pass provides the count of policies whose requirements
+                  were met
+                type: integer
+              skip:
+                description: Skip indicates the count of policies that were not selected
+                  for evaluation
+                type: integer
+              warn:
+                description: Warn provides the count of non-scored policies whose
+                  requirements were not met
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources: {}
+{{- end }}
diff --git a/charts/kyverno/charts/crds/values.yaml b/charts/kyverno/charts/crds/values.yaml
new file mode 100644
index 000000000000..07cfa8403eb9
--- /dev/null
+++ b/charts/kyverno/charts/crds/values.yaml
@@ -0,0 +1,41 @@
+# -- Internal settings used with `helm template` to generate install manifest
+# @ignored
+templating:
+  enabled: false
+  debug: false
+  version: ~
+
+groups:
+
+  # -- Install CRDs in group `kyverno.io`
+  # -- This field can be overwritten by setting crds.labels in the parent chart
+  kyverno:
+    cleanuppolicies: true
+    clustercleanuppolicies: true
+    clusterpolicies: true
+    globalcontextentries: true
+    policies: true
+    policyexceptions: true
+    updaterequests: true
+
+  # -- Install CRDs in group `reports.kyverno.io`
+  # -- This field can be overwritten by setting crds.labels in the parent chart
+  reports:
+    clusterephemeralreports: true
+    ephemeralreports: true
+
+  # -- Install CRDs in group `wgpolicyk8s.io`
+  # -- This field can be overwritten by setting crds.labels in the parent chart
+  wgpolicyk8s:
+    clusterpolicyreports: true
+    policyreports: true
+
+# -- Additional CRDs annotations
+# -- This field can be overwritten by setting crds.annotations in the parent chart
+annotations: {}
+  # argocd.argoproj.io/sync-options: Replace=true
+  # strategy.spinnaker.io/replace: 'true'
+
+# -- Additional CRDs labels
+# -- This field can be overwritten by setting crds.labels in the parent chart
+customLabels: {}
diff --git a/charts/kyverno/charts/grafana/Chart.yaml b/charts/kyverno/charts/grafana/Chart.yaml
new file mode 100644
index 000000000000..969c0ab64284
--- /dev/null
+++ b/charts/kyverno/charts/grafana/Chart.yaml
@@ -0,0 +1,3 @@
+apiVersion: v2
+name: grafana
+version: v0.0.0
diff --git a/charts/kyverno/charts/grafana/README.md b/charts/kyverno/charts/grafana/README.md
new file mode 100644
index 000000000000..3523f8903386
--- /dev/null
+++ b/charts/kyverno/charts/grafana/README.md
@@ -0,0 +1,16 @@
+# grafana
+
+![Version: v0.0.0](https://img.shields.io/badge/Version-v0.0.0-informational?style=flat-square)
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
+| namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
+| annotations | object | `{}` | Grafana dashboard configmap annotations. |
+| labels | object | `{"grafana_dashboard":"1"}` | Grafana dashboard configmap labels |
+| grafanaDashboard | object | `{"create":false,"matchLabels":{"dashboards":"grafana"}}` | create GrafanaDashboard custom resource referencing to the configMap. according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/ |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
diff --git a/charts/kyverno/charts/grafana/dashboard/kyverno-dashboard.json b/charts/kyverno/charts/grafana/dashboard/kyverno-dashboard.json
new file mode 100644
index 000000000000..c24c9cdf245a
--- /dev/null
+++ b/charts/kyverno/charts/grafana/dashboard/kyverno-dashboard.json
@@ -0,0 +1,2876 @@
+{
+    "__inputs": [
+        {
+            "name": "DS_PROMETHEUS_KYVERNO",
+            "label": "Prometheus Data Source exposing Kyverno's metrics",
+            "description": "Prometheus Data Source exposing Kyverno's metrics",
+            "type": "datasource"
+        }
+    ],
+    "annotations": {
+        "list": [
+            {
+                "builtIn": 1,
+                "datasource": "-- Grafana --",
+                "enable": true,
+                "hide": true,
+                "iconColor": "rgba(0, 211, 255, 1)",
+                "name": "Annotations & Alerts",
+                "target": {
+                    "limit": 100,
+                    "matchAny": false,
+                    "tags": [],
+                    "type": "dashboard"
+                },
+                "type": "dashboard"
+            }
+        ]
+    },
+    "description": "",
+    "editable": true,
+    "gnetId": null,
+    "graphTooltip": 0,
+    "id": 2,
+    "iteration": 1628375170149,
+    "links": [],
+    "panels": [
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "gridPos": {
+                "h": 6,
+                "w": 24,
+                "x": 0,
+                "y": 0
+            },
+            "id": 42,
+            "options": {
+                "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
+                "mode": "markdown"
+            },
+            "pluginVersion": "8.1.0",
+            "timeFrom": null,
+            "timeShift": null,
+            "transparent": true,
+            "type": "text"
+        },
+        {
+            "collapsed": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {},
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 6
+            },
+            "id": 12,
+            "panels": [],
+            "title": "Latest Status",
+            "type": "row"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "max": 100,
+                    "min": 0,
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                              "color": "text",
+                              "value": null
+                            },
+                            {
+                              "value": 0,
+                              "color": "green"
+                            },
+                            {
+                              "color": "#eab839",
+                              "value": 25
+                            },
+                            {
+                              "color": "red",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 100
+                            }
+                        ]
+                    },
+                    "unit": "percent"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 6,
+                "w": 6,
+                "x": 0,
+                "y": 7
+            },
+            "id": 29,
+            "options": {
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "showThresholdLabels": false,
+                "showThresholdMarkers": true,
+                "text": {}
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_results{rule_result=\"fail\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results{cluster=~\"$cluster\"}[24h]))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Rule Execution Failure Rate (Last 24 Hours)",
+            "transparent": true,
+            "type": "gauge"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "noValue": "0",
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "green",
+                                "value": null
+                            }
+                        ]
+                    }
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 5,
+                "w": 4,
+                "x": 8,
+                "y": 7
+            },
+            "id": 2,
+            "options": {
+                "colorMode": "background",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\",cluster=~\"$cluster\"}==1) by (policy_name))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "timeFrom": null,
+            "timeShift": null,
+            "title": "Cluster Policies",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "noValue": "0",
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "green",
+                                "value": null
+                            }
+                        ]
+                    }
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 5,
+                "w": 4,
+                "x": 12,
+                "y": 7
+            },
+            "id": 3,
+            "options": {
+                "colorMode": "background",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\", cluster=~\"$cluster\"}==1) by (policy_name))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "timeFrom": null,
+            "timeShift": null,
+            "title": "Policies",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "max": 100,
+                    "min": 0,
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                              "color": "text",
+                              "value": null
+                            },
+                            {
+                              "value": 0,
+                              "color": "green"
+                            },
+                            {
+                              "color": "#eab839",
+                              "value": 25
+                            },
+                            {
+                              "color": "red",
+                              "value": 50
+                            },
+                            {
+                              "color": "red",
+                              "value": 100
+                            }
+                        ]
+                    },
+                    "unit": "percent"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 6,
+                "w": 6,
+                "x": 18,
+                "y": 7
+            },
+            "id": 28,
+            "options": {
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "showThresholdLabels": false,
+                "showThresholdMarkers": true,
+                "text": {}
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_results{rule_result=\"fail\", policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]) or vector(0))*100/sum(increase(kyverno_policy_results{policy_background_mode=\"true\", cluster=~\"$cluster\"}[24h]))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Background Scans Failure Rate (Last 24 Hours)",
+            "transparent": true,
+            "type": "gauge"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "noValue": "0",
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "green",
+                                "value": null
+                            }
+                        ]
+                    }
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 4,
+                "x": 6,
+                "y": 12
+            },
+            "id": 4,
+            "options": {
+                "colorMode": "background",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"validate\", cluster=~\"$cluster\"}==1) by (rule_name))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "timeFrom": null,
+            "timeShift": null,
+            "title": "Validate Rules",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "noValue": "0",
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "green",
+                                "value": null
+                            }
+                        ]
+                    }
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 4,
+                "x": 10,
+                "y": 12
+            },
+            "id": 23,
+            "options": {
+                "colorMode": "background",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"mutate\", cluster=~\"$cluster\"}==1) by (rule_name))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "timeFrom": null,
+            "timeShift": null,
+            "title": "Mutate Rules",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "noValue": "0",
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "green",
+                                "value": null
+                            }
+                        ]
+                    }
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 4,
+                "x": 14,
+                "y": 12
+            },
+            "id": 6,
+            "options": {
+                "colorMode": "background",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{rule_type=\"generate\", cluster=~\"$cluster\"}==1) by (rule_name))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "timeFrom": null,
+            "timeShift": null,
+            "title": "Generate Rules",
+            "type": "stat"
+        },
+        {
+            "collapsed": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {},
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 16
+            },
+            "id": 26,
+            "panels": [],
+            "title": "Policy-Rule Results",
+            "type": "row"
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 0,
+                "y": 17
+            },
+            "hiddenSeries": false,
+            "id": 15,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:2021",
+                    "alias": "pass",
+                    "color": "rgb(43, 219, 23)",
+                    "dashes": true
+                },
+                {
+                    "$$hashKey": "object:2029",
+                    "alias": "fail",
+                    "color": "#F2495C"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_results{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (rule_result)",
+                    "interval": "",
+                    "legendFormat": "Admission Review Result: {{rule_result}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Admission Review Results (per-rule)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 8,
+                "y": 17
+            },
+            "hiddenSeries": false,
+            "id": 17,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:2021",
+                    "alias": "pass",
+                    "color": "rgb(43, 219, 23)",
+                    "dashes": true
+                },
+                {
+                    "$$hashKey": "object:2029",
+                    "alias": "fail",
+                    "color": "#F2495C"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_results{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (rule_result)",
+                    "interval": "",
+                    "legendFormat": "Background Scan Result: {{rule_result}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Background Scan Results (per-rule)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 16,
+                "w": 8,
+                "x": 16,
+                "y": 17
+            },
+            "hiddenSeries": false,
+            "id": 30,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:2021",
+                    "alias": "cluster",
+                    "color": "#5794F2",
+                    "dashes": true
+                },
+                {
+                    "$$hashKey": "object:2029",
+                    "alias": "namespaced",
+                    "color": "#F2495C",
+                    "dashes": true
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(sum(increase(kyverno_policy_results{rule_result=\"fail\", cluster=~\"$cluster\"}[5m])) by (policy_name, policy_type)) by (policy_type)",
+                    "interval": "",
+                    "legendFormat": "Policy Type: {{policy_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Policy Failures",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 0,
+                "y": 25
+            },
+            "hiddenSeries": false,
+            "id": 31,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:2021",
+                    "alias": "pass",
+                    "color": "rgb(43, 219, 23)",
+                    "dashes": true
+                },
+                {
+                    "$$hashKey": "object:2029",
+                    "alias": "fail",
+                    "color": "#F2495C"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(sum(increase(kyverno_policy_results{rule_execution_cause=\"admission_request\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
+                    "interval": "",
+                    "legendFormat": "Admission Review Result: {{rule_result}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Admission Review Results (per-policy)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 8,
+                "y": 25
+            },
+            "hiddenSeries": false,
+            "id": 32,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:2021",
+                    "alias": "pass",
+                    "color": "rgb(43, 219, 23)",
+                    "dashes": true
+                },
+                {
+                    "$$hashKey": "object:2029",
+                    "alias": "fail",
+                    "color": "#F2495C"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(sum(increase(kyverno_policy_results{rule_execution_cause=\"background_scan\", cluster=~\"$cluster\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
+                    "interval": "",
+                    "legendFormat": "Background Scan Result: {{rule_result}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Background Scan Results (per-policy)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "collapsed": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {},
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 33
+            },
+            "id": 19,
+            "panels": [],
+            "title": "Policy-Rule Info",
+            "type": "row"
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 0,
+                "y": 34
+            },
+            "hiddenSeries": false,
+            "id": 16,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:3795",
+                    "alias": "cluster",
+                    "color": "#5794F2"
+                },
+                {
+                    "$$hashKey": "object:3800",
+                    "alias": "namespaced",
+                    "color": "#FF7383"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)",
+                    "interval": "",
+                    "legendFormat": "Policy Type: {{policy_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Active Policies (by policy type)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 8,
+                "y": 34
+            },
+            "hiddenSeries": false,
+            "id": 20,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:3319",
+                    "alias": "audit",
+                    "color": "#37872D"
+                },
+                {
+                    "$$hashKey": "object:3335",
+                    "alias": "enforce",
+                    "color": "#FF9830"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)",
+                    "interval": "",
+                    "legendFormat": "Policy Validation Mode: {{policy_validation_mode}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Active Policies (by policy validation action)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 16,
+                "y": 34
+            },
+            "hiddenSeries": false,
+            "id": 24,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:3934",
+                    "alias": "cluster",
+                    "color": "#B877D9"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\", cluster=~\"$cluster\"}==1) by (policy_name, policy_type)) by (policy_type)",
+                    "interval": "",
+                    "legendFormat": "Policy Type: {{policy_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Active Policies running in background mode",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 8,
+                "x": 0,
+                "y": 42
+            },
+            "hiddenSeries": false,
+            "id": 21,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\", cluster=~\"$cluster\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)",
+                    "interval": "",
+                    "legendFormat": "Namespace: {{policy_namespace}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Active Namespaced Policies (by namespaces)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 10,
+                "x": 8,
+                "y": 42
+            },
+            "hiddenSeries": false,
+            "id": 14,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:3021",
+                    "alias": "mutate",
+                    "color": "rgb(169, 58, 227)"
+                },
+                {
+                    "$$hashKey": "object:3029",
+                    "alias": "validate",
+                    "color": "rgb(255, 232, 0)"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "count(count(kyverno_policy_rule_info_total{cluster=~\"$cluster\"}==1) by (rule_type, rule_name)) by (rule_type)",
+                    "interval": "",
+                    "legendFormat": "Rule Type: {{rule_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Active Rules (by rule type)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "collapsed": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {},
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 50
+            },
+            "id": 34,
+            "panels": [],
+            "title": "Policy-Rule Execution Latency",
+            "type": "row"
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 0,
+                "y": 51
+            },
+            "hiddenSeries": false,
+            "id": 36,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (rule_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (rule_type)",
+                    "interval": "",
+                    "legendFormat": "Rule Type: {{rule_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Average Rule Execution Latency Over Time",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:5548",
+                    "format": "s",
+                    "label": "",
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:5549",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 9,
+                "y": 51
+            },
+            "hiddenSeries": false,
+            "id": 37,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:5526",
+                    "alias": "cluster",
+                    "color": "#5794F2"
+                },
+                {
+                    "$$hashKey": "object:5534",
+                    "alias": "namespaced",
+                    "color": "#F2495C"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (policy_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (policy_type)",
+                    "interval": "",
+                    "legendFormat": "Policy Type: {{policy_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Average Policy Execution Latency Over Time",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:5548",
+                    "format": "clocks",
+                    "label": "",
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:5549",
+                    "format": "s",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": false
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "purple",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "s"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 6,
+                "x": 18,
+                "y": 51
+            },
+            "id": 39,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "area",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"})",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Overall Average Rule Execution Latency",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "blue",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "s"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 6,
+                "x": 18,
+                "y": 55
+            },
+            "id": 40,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "area",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{cluster=~\"$cluster\"}) by (policy_name, policy_type) / sum(kyverno_policy_execution_duration_seconds_count{cluster=~\"$cluster\"}) by (policy_name, policy_type))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Overall Average Policy Execution Latency",
+            "type": "stat"
+        },
+        {
+            "collapsed": false,
+            "datasource": null,
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 59
+            },
+            "id": 52,
+            "panels": [],
+            "title": "Admission Review Latency",
+            "type": "row"
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 0,
+                "y": 60
+            },
+            "hiddenSeries": false,
+            "id": 53,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_request_operation) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)",
+                    "interval": "",
+                    "legendFormat": "Resource Operation: {{resource_request_operation}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Avg - Admission Review Duration Over Time (by operation)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "transparent": true,
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "s",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 9,
+                "y": 60
+            },
+            "hiddenSeries": false,
+            "id": 54,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"}[5m])) by (resource_kind) / sum(rate(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"}[5m])) by (resource_kind)",
+                    "interval": "",
+                    "legendFormat": "Resource Kind: {{resource_kind}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Avg - Admission Review Duration Over Time (by resource kind)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "transparent": true,
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "s",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "blue",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "short"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 6,
+                "x": 18,
+                "y": 60
+            },
+            "id": 50,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "area",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m]))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Rate - Incoming Admission Requests (per 5m)",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "purple",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "s"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 6,
+                "x": 18,
+                "y": 64
+            },
+            "id": 55,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "area",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(kyverno_admission_review_duration_seconds_sum{cluster=~\"$cluster\"})/sum(kyverno_admission_review_duration_seconds_count{cluster=~\"$cluster\"})",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Avg - Overall Admission Review Duration",
+            "type": "stat"
+        },
+        {
+            "collapsed": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {},
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 68
+            },
+            "id": 8,
+            "panels": [],
+            "title": "Policy Changes",
+            "type": "row"
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 0,
+                "y": 69
+            },
+            "hiddenSeries": false,
+            "id": 10,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:1487",
+                    "alias": "Change type: created",
+                    "color": "#5794F2"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_change_type)",
+                    "interval": "",
+                    "legendFormat": "Change type: {{policy_change_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Policy Changes Over Time (by change type)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "transparent": true,
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 9,
+                "y": 69
+            },
+            "hiddenSeries": false,
+            "id": 13,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:1679",
+                    "alias": "cluster",
+                    "color": "#F2495C"
+                },
+                {
+                    "$$hashKey": "object:1769"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m])) by (policy_type)",
+                    "interval": "",
+                    "legendFormat": "Policy Type: {{policy_type}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Policy Changes Over Time (by policy type)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "orange",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "short"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 6,
+                "x": 18,
+                "y": 69
+            },
+            "id": 49,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_policy_changes_total{cluster=~\"$cluster\"}[24h]))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Total Policy Changes (Last 24 Hours)",
+            "type": "stat"
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "red",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "short"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 4,
+                "w": 6,
+                "x": 18,
+                "y": 73
+            },
+            "id": 48,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "area",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(rate(kyverno_policy_changes_total{cluster=~\"$cluster\"}[5m]))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Rate - Policy Changes Happening (last 5m)",
+            "type": "stat"
+        },
+        {
+            "collapsed": false,
+            "datasource": null,
+            "gridPos": {
+                "h": 1,
+                "w": 24,
+                "x": 0,
+                "y": 77
+            },
+            "id": 44,
+            "panels": [],
+            "title": "Admission Requests",
+            "type": "row"
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 0,
+                "y": 78
+            },
+            "hiddenSeries": false,
+            "id": 45,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:1487",
+                    "alias": "Change type: created",
+                    "color": "#5794F2"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_request_operation)",
+                    "interval": "",
+                    "legendFormat": "Resource Operation: {{resource_request_operation}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Admission Requests (by operation)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "transparent": true,
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "aliasColors": {},
+            "bars": false,
+            "dashLength": 10,
+            "dashes": false,
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fill": 1,
+            "fillGradient": 0,
+            "gridPos": {
+                "h": 8,
+                "w": 9,
+                "x": 9,
+                "y": 78
+            },
+            "hiddenSeries": false,
+            "id": 46,
+            "legend": {
+                "alignAsTable": true,
+                "avg": false,
+                "current": true,
+                "max": true,
+                "min": true,
+                "rightSide": false,
+                "show": true,
+                "total": false,
+                "values": true
+            },
+            "lines": true,
+            "linewidth": 1,
+            "nullPointMode": "null",
+            "options": {
+                "alertThreshold": true
+            },
+            "percentage": false,
+            "pluginVersion": "8.1.0",
+            "pointradius": 2,
+            "points": false,
+            "renderer": "flot",
+            "seriesOverrides": [
+                {
+                    "$$hashKey": "object:1487",
+                    "alias": "Change type: created",
+                    "color": "#5794F2"
+                }
+            ],
+            "spaceLength": 10,
+            "stack": false,
+            "steppedLine": false,
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[5m])) by (resource_kind)",
+                    "interval": "",
+                    "legendFormat": "Resource Kind: {{resource_kind}}",
+                    "refId": "A"
+                }
+            ],
+            "thresholds": [],
+            "timeFrom": null,
+            "timeRegions": [],
+            "timeShift": null,
+            "title": "Admission Requests (by resource kind)",
+            "tooltip": {
+                "shared": true,
+                "sort": 0,
+                "value_type": "individual"
+            },
+            "transparent": true,
+            "type": "graph",
+            "xaxis": {
+                "buckets": null,
+                "mode": "time",
+                "name": null,
+                "show": true,
+                "values": []
+            },
+            "yaxes": [
+                {
+                    "$$hashKey": "object:218",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": "0",
+                    "show": true
+                },
+                {
+                    "$$hashKey": "object:219",
+                    "format": "short",
+                    "label": null,
+                    "logBase": 1,
+                    "max": null,
+                    "min": null,
+                    "show": true
+                }
+            ],
+            "yaxis": {
+                "align": false,
+                "alignLevel": null
+            }
+        },
+        {
+            "datasource": "${DS_PROMETHEUS_KYVERNO}",
+            "fieldConfig": {
+                "defaults": {
+                    "color": {
+                        "mode": "thresholds"
+                    },
+                    "mappings": [],
+                    "thresholds": {
+                        "mode": "absolute",
+                        "steps": [
+                            {
+                                "color": "semi-dark-green",
+                                "value": null
+                            }
+                        ]
+                    },
+                    "unit": "short"
+                },
+                "overrides": []
+            },
+            "gridPos": {
+                "h": 8,
+                "w": 6,
+                "x": 18,
+                "y": 78
+            },
+            "id": 47,
+            "options": {
+                "colorMode": "value",
+                "graphMode": "none",
+                "justifyMode": "auto",
+                "orientation": "auto",
+                "reduceOptions": {
+                    "calcs": [
+                        "lastNotNull"
+                    ],
+                    "fields": "",
+                    "values": false
+                },
+                "text": {},
+                "textMode": "auto"
+            },
+            "pluginVersion": "8.1.0",
+            "targets": [
+                {
+                    "exemplar": true,
+                    "expr": "sum(increase(kyverno_admission_requests_total{cluster=~\"$cluster\"}[24h]))",
+                    "interval": "",
+                    "legendFormat": "",
+                    "refId": "A"
+                }
+            ],
+            "title": "Total Admission Requests (Last 24 Hours)",
+            "type": "stat"
+        }
+    ],
+    "refresh": false,
+    "schemaVersion": 30,
+    "style": "dark",
+    "tags": [],
+    "templating": {
+        "list": [
+            {
+                "hide": 0,
+                "label": "datasource",
+                "name": "DS_PROMETHEUS_KYVERNO",
+                "options": [],
+                "query": "prometheus",
+                "refresh": 1,
+                "regex": "",
+                "type": "datasource"
+            }
+            ,{
+                "allValue": ".*",
+                "datasource": "${DS_PROMETHEUS_KYVERNO}",
+                "definition": "label_values(kyverno_policy_results, cluster)",
+                "hide": 0,
+                "includeAll": true,
+                "label": "Cluster",
+                "multi": true,
+                "name": "cluster",
+                "options": [],
+                "query": "label_values(kyverno_policy_results, cluster)",
+                "refresh": 2,
+                "type": "query"
+            }
+        ]
+    },
+    "time": {
+        "from": "now-1h",
+        "to": "now"
+    },
+    "timepicker": {},
+    "timezone": "",
+    "title": "Kyverno Metrics",
+    "folder": "Kyverno",
+    "uid": "Rg8lWBG7k",
+    "version": "1.4.3"
+}
diff --git a/charts/kyverno/charts/grafana/templates/dashboard.yaml b/charts/kyverno/charts/grafana/templates/dashboard.yaml
new file mode 100644
index 000000000000..376cc65d39fd
--- /dev/null
+++ b/charts/kyverno/charts/grafana/templates/dashboard.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ tpl .Values.configMapName . }}
+  namespace: {{ default (include "kyverno.namespace" .) .Values.namespace }}
+  annotations:
+    {{- toYaml .Values.annotations | nindent 4 }}
+  labels:
+    {{- toYaml .Values.labels | nindent 4 }}
+data:
+{{ (.Files.Glob "dashboard/*").AsConfig | indent 2 }}
+---
+{{- if .Values.grafanaDashboard.create -}}
+{{ range $path, $_ := .Files.Glob  "dashboard/*" -}}
+{{ $name := base $path }}
+apiVersion: grafana.integreatly.org/v1beta1
+kind: GrafanaDashboard
+metadata:
+  name: {{ tpl $.Values.configMapName $ }}-{{ $name }}
+  namespace: {{ default (include "kyverno.namespace" $ ) $.Values.namespace }}
+spec:
+  allowCrossNamespaceImport: {{ $.Values.grafanaDashboard.allowCrossNamespaceImport }}
+  folder: {{ $.Values.grafanaDashboard.folder }}
+  instanceSelector:
+    matchLabels:
+      {{- toYaml $.Values.grafanaDashboard.matchLabels | nindent 6 }}
+  configMapRef:
+    name: {{ tpl $.Values.configMapName $ }}
+    key: {{ $name }}
+---
+{{ end -}}
+{{- end -}}
diff --git a/charts/kyverno/charts/grafana/values.yaml b/charts/kyverno/charts/grafana/values.yaml
new file mode 100644
index 000000000000..15babe2e0239
--- /dev/null
+++ b/charts/kyverno/charts/grafana/values.yaml
@@ -0,0 +1,20 @@
+# -- Configmap name template.
+configMapName: '{{ include "kyverno.fullname" . }}-grafana'
+
+# -- (string) Namespace to create the grafana dashboard configmap.
+# If not set, it will be created in the same namespace where the chart is deployed.
+namespace: ~
+
+# -- Grafana dashboard configmap annotations.
+annotations: {}
+
+# -- Grafana dashboard configmap labels
+labels:
+  grafana_dashboard: "1"
+
+# -- create GrafanaDashboard custom resource referencing to the configMap.
+# according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
+grafanaDashboard:
+  create: false
+  matchLabels:
+    dashboards: "grafana"
diff --git a/charts/kyverno/ci/caCertsConfigMap-values.yaml b/charts/kyverno/ci/caCertsConfigMap-values.yaml
new file mode 100644
index 000000000000..1897ef755e28
--- /dev/null
+++ b/charts/kyverno/ci/caCertsConfigMap-values.yaml
@@ -0,0 +1,13 @@
+global:
+  caCertificates:
+    data: |
+      -----BEGIN CERTIFICATE-----
+      MIIBbzCCARWgAwIBAgIQK0Z1j0Q96/LIo4tNHxsPUDAKBggqhkjOPQQDAjAWMRQw
+      EgYDVQQDEwtab2xsZXJMYWJDQTAeFw0yMjA1MTgwODI2NTBaFw0zMjA1MTUwODI2
+      NTBaMBYxFDASBgNVBAMTC1pvbGxlckxhYkNBMFkwEwYHKoZIzj0CAQYIKoZIzj0D
+      AQcDQgAEJxGhyW26O77E7fqFcbzljYzlLq/G7yANNwerWnWUKlW9gcrcPqZwwrTX
+      yaJZpdCWTObvbOyaOxq5NsytC/ubLKNFMEMwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud
+      EwEB/wQIMAYBAf8CAQEwHQYDVR0OBBYEFDoT1GEM8NYfxSKBkSzg4rpY+xdUMAoG
+      CCqGSM49BAMCA0gAMEUCIQDDLWFn/XJPqpNGXcyjlSJFxlQUJ5Cu/+nDvtbTeUGA
+      NAIgMsVwBafMtmLQFlfvZsE95UYoYUV4ayH+OLTTQaDQOPY=
+      -----END CERTIFICATE-----
diff --git a/charts/kyverno/ci/default-values.yaml b/charts/kyverno/ci/default-values.yaml
new file mode 100644
index 000000000000..f5533b97c497
--- /dev/null
+++ b/charts/kyverno/ci/default-values.yaml
@@ -0,0 +1,2 @@
+---
+## This tests the default values.
diff --git a/charts/kyverno/ci/default-vaules.yaml b/charts/kyverno/ci/default-vaules.yaml
deleted file mode 100644
index 3281594fc241..000000000000
--- a/charts/kyverno/ci/default-vaules.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-## This tests the default values.
\ No newline at end of file
diff --git a/charts/kyverno/ci/extraContainers-values.yaml b/charts/kyverno/ci/extraContainers-values.yaml
index ab4229b61f6d..a8d7265c09b8 100644
--- a/charts/kyverno/ci/extraContainers-values.yaml
+++ b/charts/kyverno/ci/extraContainers-values.yaml
@@ -1,9 +1,10 @@
-extraContainers:
-  - name: myapp-container
-    image: busybox
-    command: ['sh', '-c', 'echo Hello && sleep 3600']
+admissionController:
+  extraContainers:
+    - name: myapp-container
+      image: busybox
+      command: ['sh', '-c', 'echo Hello && sleep 3600']
 
-extraInitContainers:
-  - name: init-container
-    image: busybox
-    command: ['sh', '-c', 'echo Hello']
+  extraInitContainers:
+    - name: init-container
+      image: busybox
+      command: ['sh', '-c', 'echo Hello']
diff --git a/charts/kyverno/ci/hooks-values.yaml b/charts/kyverno/ci/hooks-values.yaml
index 399110f1b046..d0d98ab277ac 100644
--- a/charts/kyverno/ci/hooks-values.yaml
+++ b/charts/kyverno/ci/hooks-values.yaml
@@ -1,3 +1,16 @@
 ---
 webhooksCleanup:
   enable: true
+  nodeSelector:
+    kubernetes.io/os: linux
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - hooks
+          topologyKey: kubernetes.io/hostname
diff --git a/charts/kyverno/ci/imageRegistry-values.yaml b/charts/kyverno/ci/imageRegistry-values.yaml
index 2a5547ccbaf3..6781293fcfad 100644
--- a/charts/kyverno/ci/imageRegistry-values.yaml
+++ b/charts/kyverno/ci/imageRegistry-values.yaml
@@ -1,9 +1,15 @@
-testImage:
-  registry: docker.io
-  repository: busybox
-image:
-  registry: ko.local
-  repository: github.com/kyverno/kyverno/cmd/kyverno
-initImage:
-  registry: ko.local
-  repository: github.com/kyverno/kyverno/cmd/initcontainer
+test:
+  image:
+    registry: docker.io
+    repository: busybox
+
+admissionController:
+  container:
+    image:
+      registry: ko.local
+      repository: github.com/kyverno/kyverno/cmd/kyverno
+
+  initContainer:
+    image:
+      registry: ko.local
+      repository: github.com/kyverno/kyverno/cmd/initcontainer
diff --git a/charts/kyverno/ci/monitoring-values.yaml b/charts/kyverno/ci/monitoring-values.yaml
new file mode 100644
index 000000000000..21a28adab68a
--- /dev/null
+++ b/charts/kyverno/ci/monitoring-values.yaml
@@ -0,0 +1,31 @@
+---
+admissionController:
+  serviceMonitor:
+    enabled: true
+    relabelings:
+    - action: labeldrop
+      regex: container
+
+cleanupController:
+  serviceMonitor:
+    enabled: true
+    relabelings:
+    - action: labeldrop
+      regex: container
+
+backgroundController:
+  serviceMonitor:
+    enabled: true
+    relabelings:
+    - action: labeldrop
+      regex: container
+
+reportsController:
+  serviceMonitor:
+    enabled: true
+    relabelings:
+    - action: labeldrop
+      regex: container
+
+grafana:
+  enabled: true
diff --git a/charts/kyverno/ci/nodeSelector-global-values.yaml b/charts/kyverno/ci/nodeSelector-global-values.yaml
new file mode 100644
index 000000000000..205f41ec6984
--- /dev/null
+++ b/charts/kyverno/ci/nodeSelector-global-values.yaml
@@ -0,0 +1,7 @@
+global:
+  nodeSelector:
+    node-role.kubernetes.io/foo: ''
+
+admissionController:
+  nodeSelector:
+    node-role.kubernetes.io/bar: ''
diff --git a/charts/kyverno/ci/replicas-values.yaml b/charts/kyverno/ci/replicas-values.yaml
new file mode 100644
index 000000000000..7c1620eacd9f
--- /dev/null
+++ b/charts/kyverno/ci/replicas-values.yaml
@@ -0,0 +1,11 @@
+admissionController:
+  replicas: 1
+
+cleanupController:
+  replicas: 1
+
+reportsController:
+  replicas: 1
+
+backgroundController:
+  replicas: 1
diff --git a/charts/kyverno/ci/resourceFilters-values.yaml b/charts/kyverno/ci/resourceFilters-values.yaml
new file mode 100644
index 000000000000..c5355f525b81
--- /dev/null
+++ b/charts/kyverno/ci/resourceFilters-values.yaml
@@ -0,0 +1,5 @@
+---
+config:
+  resourceFiltersExclude:
+    - '[Node,*,*]'
+    - '[Node/*,*,*]'
diff --git a/charts/kyverno/ci/resourceFiltersInclude-values.yaml b/charts/kyverno/ci/resourceFiltersInclude-values.yaml
new file mode 100644
index 000000000000..1fc0cf51f896
--- /dev/null
+++ b/charts/kyverno/ci/resourceFiltersInclude-values.yaml
@@ -0,0 +1,7 @@
+---
+config:
+  resourceFiltersInclude:
+    - '[MyCRD,*,*]'
+    - '[MyCRD/*,*,*]'
+  resourceFiltersIncludeNamespaces:
+    - "my-namespace"
diff --git a/charts/kyverno/grafana/dashboard.json b/charts/kyverno/grafana/dashboard.json
deleted file mode 100644
index e7fe1bd65f31..000000000000
--- a/charts/kyverno/grafana/dashboard.json
+++ /dev/null
@@ -1,2854 +0,0 @@
-{
-    "__inputs": [
-        {
-            "name": "DS_PROMETHEUS_KYVERNO",
-            "label": "Prometheus Data Source exposing Kyverno's metrics",
-            "description": "Prometheus Data Source exposing Kyverno's metrics",
-            "type": "datasource"
-        }
-    ],
-    "annotations": {
-        "list": [
-            {
-                "builtIn": 1,
-                "datasource": "-- Grafana --",
-                "enable": true,
-                "hide": true,
-                "iconColor": "rgba(0, 211, 255, 1)",
-                "name": "Annotations & Alerts",
-                "target": {
-                    "limit": 100,
-                    "matchAny": false,
-                    "tags": [],
-                    "type": "dashboard"
-                },
-                "type": "dashboard"
-            }
-        ]
-    },
-    "description": "",
-    "editable": true,
-    "gnetId": null,
-    "graphTooltip": 0,
-    "id": 2,
-    "iteration": 1628375170149,
-    "links": [],
-    "panels": [
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "gridPos": {
-                "h": 6,
-                "w": 24,
-                "x": 0,
-                "y": 0
-            },
-            "id": 42,
-            "options": {
-                "content": "# Kyverno\nA Kubernetes-native policy management engine\n\n#### About this dashboard\n\nThis dashboard represents generic insights that can be extracted from a cluster with Kyverno running.\n\n#### For more details around the metrics\n\nCheckout the [official docs of Kyverno metrics](https://kyverno.io/docs/monitoring/)",
-                "mode": "markdown"
-            },
-            "pluginVersion": "8.1.0",
-            "timeFrom": null,
-            "timeShift": null,
-            "transparent": true,
-            "type": "text"
-        },
-        {
-            "collapsed": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {},
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 6
-            },
-            "id": 12,
-            "panels": [],
-            "title": "Latest Status",
-            "type": "row"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "max": 100,
-                    "min": 0,
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "red",
-                                "value": null
-                            },
-                            {
-                                "color": "red",
-                                "value": 50
-                            },
-                            {
-                                "color": "#EAB839",
-                                "value": 75
-                            },
-                            {
-                                "color": "green",
-                                "value": 100
-                            }
-                        ]
-                    },
-                    "unit": "percent"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 6,
-                "w": 6,
-                "x": 0,
-                "y": 7
-            },
-            "id": 29,
-            "options": {
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "showThresholdLabels": false,
-                "showThresholdMarkers": true,
-                "text": {}
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\"}[24h]))*100/sum(increase(kyverno_policy_results_total{}[24h]))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Rule Execution Failure Rate (Last 24 Hours)",
-            "transparent": true,
-            "type": "gauge"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "noValue": "0",
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "green",
-                                "value": null
-                            }
-                        ]
-                    }
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 5,
-                "w": 4,
-                "x": 8,
-                "y": 7
-            },
-            "id": 2,
-            "options": {
-                "colorMode": "background",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"cluster\"}==1) by (policy_name))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "timeFrom": null,
-            "timeShift": null,
-            "title": "Cluster Policies",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "noValue": "0",
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "green",
-                                "value": null
-                            }
-                        ]
-                    }
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 5,
-                "w": 4,
-                "x": 12,
-                "y": 7
-            },
-            "id": 3,
-            "options": {
-                "colorMode": "background",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(count(kyverno_policy_rule_info_total{policy_type=\"namespaced\"}==1) by (policy_name))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "timeFrom": null,
-            "timeShift": null,
-            "title": "Policies",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "max": 100,
-                    "min": 0,
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "red",
-                                "value": null
-                            },
-                            {
-                                "color": "red",
-                                "value": 50
-                            },
-                            {
-                                "color": "#EAB839",
-                                "value": 75
-                            },
-                            {
-                                "color": "green",
-                                "value": 100
-                            }
-                        ]
-                    },
-                    "unit": "percent"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 6,
-                "w": 6,
-                "x": 18,
-                "y": 7
-            },
-            "id": 28,
-            "options": {
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "showThresholdLabels": false,
-                "showThresholdMarkers": true,
-                "text": {}
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_results_total{rule_result=\"fail\", policy_background_mode=\"true\"}[24h]))*100/sum(increase(kyverno_policy_results_total{policy_background_mode=\"true\"}[24h]))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Background Scans Failure Rate (Last 24 Hours)",
-            "transparent": true,
-            "type": "gauge"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "noValue": "0",
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "green",
-                                "value": null
-                            }
-                        ]
-                    }
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 4,
-                "x": 6,
-                "y": 12
-            },
-            "id": 4,
-            "options": {
-                "colorMode": "background",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(kyverno_policy_rule_info_total{rule_type=\"validate\"}==1)",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "timeFrom": null,
-            "timeShift": null,
-            "title": "Validate Rules",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "noValue": "0",
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "green",
-                                "value": null
-                            }
-                        ]
-                    }
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 4,
-                "x": 10,
-                "y": 12
-            },
-            "id": 23,
-            "options": {
-                "colorMode": "background",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(kyverno_policy_rule_info_total{rule_type=\"mutate\"}==1)",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "timeFrom": null,
-            "timeShift": null,
-            "title": "Mutate Rules",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "noValue": "0",
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "green",
-                                "value": null
-                            }
-                        ]
-                    }
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 4,
-                "x": 14,
-                "y": 12
-            },
-            "id": 6,
-            "options": {
-                "colorMode": "background",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(kyverno_policy_rule_info_total{rule_type=\"generate\"}==1)",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "timeFrom": null,
-            "timeShift": null,
-            "title": "Generate Rules",
-            "type": "stat"
-        },
-        {
-            "collapsed": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {},
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 16
-            },
-            "id": 26,
-            "panels": [],
-            "title": "Policy-Rule Results",
-            "type": "row"
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 0,
-                "y": 17
-            },
-            "hiddenSeries": false,
-            "id": 15,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:2021",
-                    "alias": "pass",
-                    "color": "rgb(43, 219, 23)",
-                    "dashes": true
-                },
-                {
-                    "$$hashKey": "object:2029",
-                    "alias": "fail",
-                    "color": "#F2495C"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (rule_result)",
-                    "interval": "",
-                    "legendFormat": "{{rule_result}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Admission Review Results (per-rule)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 8,
-                "y": 17
-            },
-            "hiddenSeries": false,
-            "id": 17,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:2021",
-                    "alias": "pass",
-                    "color": "rgb(43, 219, 23)",
-                    "dashes": true
-                },
-                {
-                    "$$hashKey": "object:2029",
-                    "alias": "fail",
-                    "color": "#F2495C"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (rule_result)",
-                    "interval": "",
-                    "legendFormat": "{{rule_result}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Background Scan Results (per-rule)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 16,
-                "w": 8,
-                "x": 16,
-                "y": 17
-            },
-            "hiddenSeries": false,
-            "id": 30,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:2021",
-                    "alias": "cluster",
-                    "color": "#5794F2",
-                    "dashes": true
-                },
-                {
-                    "$$hashKey": "object:2029",
-                    "alias": "namespaced",
-                    "color": "#F2495C",
-                    "dashes": true
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(sum(increase(kyverno_policy_results_total{rule_result=\"fail\"}[5m])) by (policy_name, policy_type)) by (policy_type)",
-                    "interval": "",
-                    "legendFormat": "{{policy_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Policy Failures",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 0,
-                "y": 25
-            },
-            "hiddenSeries": false,
-            "id": 31,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:2021",
-                    "alias": "pass",
-                    "color": "rgb(43, 219, 23)",
-                    "dashes": true
-                },
-                {
-                    "$$hashKey": "object:2029",
-                    "alias": "fail",
-                    "color": "#F2495C"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"admission_request\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
-                    "interval": "",
-                    "legendFormat": "{{rule_result}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Admission Review Results (per-policy)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 8,
-                "y": 25
-            },
-            "hiddenSeries": false,
-            "id": 32,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:2021",
-                    "alias": "pass",
-                    "color": "rgb(43, 219, 23)",
-                    "dashes": true
-                },
-                {
-                    "$$hashKey": "object:2029",
-                    "alias": "fail",
-                    "color": "#F2495C"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(sum(increase(kyverno_policy_results_total{rule_execution_cause=\"background_scan\"}[5m])) by (policy_name, rule_result)) by (rule_result)",
-                    "interval": "",
-                    "legendFormat": "{{rule_result}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Background Scan Results (per-policy)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "collapsed": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {},
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 33
-            },
-            "id": 19,
-            "panels": [],
-            "title": "Policy-Rule Info",
-            "type": "row"
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 0,
-                "y": 34
-            },
-            "hiddenSeries": false,
-            "id": 16,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:3795",
-                    "alias": "cluster",
-                    "color": "#5794F2"
-                },
-                {
-                    "$$hashKey": "object:3800",
-                    "alias": "namespaced",
-                    "color": "#FF7383"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(count(kyverno_policy_rule_info_total{}==1) by (policy_name, policy_type)) by (policy_type)",
-                    "interval": "",
-                    "legendFormat": "{{policy_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Active Policies (by policy type)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 8,
-                "y": 34
-            },
-            "hiddenSeries": false,
-            "id": 20,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:3319",
-                    "alias": "audit",
-                    "color": "#37872D"
-                },
-                {
-                    "$$hashKey": "object:3335",
-                    "alias": "enforce",
-                    "color": "#FF9830"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(count(kyverno_policy_rule_info_total{}==1) by (policy_name, policy_validation_mode)) by (policy_validation_mode)",
-                    "interval": "",
-                    "legendFormat": "audit",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Active Policies (by policy validation action)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 16,
-                "y": 34
-            },
-            "hiddenSeries": false,
-            "id": 24,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:3934",
-                    "alias": "cluster",
-                    "color": "#B877D9"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(count(kyverno_policy_rule_info_total{policy_background_mode=\"true\"}==1) by (policy_name, policy_type)) by (policy_type)",
-                    "interval": "",
-                    "legendFormat": "{{policy_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Active Policies running in background mode",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 8,
-                "x": 0,
-                "y": 42
-            },
-            "hiddenSeries": false,
-            "id": 21,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(count(kyverno_policy_rule_info_total{policy_namespace!=\"-\"}==1) by (policy_name, policy_namespace)) by (policy_namespace)",
-                    "interval": "",
-                    "legendFormat": "{{policy_namespace}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Active Namespaced Policies (by namespaces)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 10,
-                "x": 8,
-                "y": 42
-            },
-            "hiddenSeries": false,
-            "id": 14,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:3021",
-                    "alias": "mutate",
-                    "color": "rgb(169, 58, 227)"
-                },
-                {
-                    "$$hashKey": "object:3029",
-                    "alias": "validate",
-                    "color": "rgb(255, 232, 0)"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "count(kyverno_policy_rule_info_total{}==1) by (rule_type)",
-                    "interval": "",
-                    "legendFormat": "{{rule_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Active Rules (by rule type)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "collapsed": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {},
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 50
-            },
-            "id": 34,
-            "panels": [],
-            "title": "Policy-Rule Execution Latency",
-            "type": "row"
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 0,
-                "y": 51
-            },
-            "hiddenSeries": false,
-            "id": 36,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{}[5m])) by (rule_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{}[5m])) by (rule_type)",
-                    "interval": "",
-                    "legendFormat": "{{rule_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Average Rule Execution Latency Over Time",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:5548",
-                    "format": "s",
-                    "label": "",
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:5549",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 9,
-                "y": 51
-            },
-            "hiddenSeries": false,
-            "id": 37,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:5526",
-                    "alias": "cluster",
-                    "color": "#5794F2"
-                },
-                {
-                    "$$hashKey": "object:5534",
-                    "alias": "namespaced",
-                    "color": "#F2495C"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(rate(kyverno_policy_execution_duration_seconds_sum{}[5m])) by (policy_type) / sum(rate(kyverno_policy_execution_duration_seconds_count{}[5m])) by (policy_type)",
-                    "interval": "",
-                    "legendFormat": "{{policy_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Average Policy Execution Latency Over Time",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:5548",
-                    "format": "clocks",
-                    "label": "",
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:5549",
-                    "format": "s",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": false
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "purple",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "s"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 6,
-                "x": 18,
-                "y": 51
-            },
-            "id": 39,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "area",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(kyverno_policy_execution_duration_seconds_sum{}) / sum(kyverno_policy_execution_duration_seconds_count{})",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Overall Average Rule Execution Latency",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "blue",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "s"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 6,
-                "x": 18,
-                "y": 55
-            },
-            "id": 40,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "area",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "avg(sum(kyverno_policy_execution_duration_seconds_sum{}) by (policy_name, policy_type) / sum(kyverno_policy_execution_duration_seconds_count{}) by (policy_name, policy_type))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Overall Average Policy Execution Latency",
-            "type": "stat"
-        },
-        {
-            "collapsed": false,
-            "datasource": null,
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 59
-            },
-            "id": 52,
-            "panels": [],
-            "title": "Admission Review Latency",
-            "type": "row"
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 0,
-                "y": 60
-            },
-            "hiddenSeries": false,
-            "id": 53,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{}[5m])) by (resource_request_operation) / sum(rate(kyverno_admission_review_duration_seconds_count{}[5m])) by (resource_request_operation)",
-                    "interval": "",
-                    "legendFormat": "Resource Operation: {{resource_request_operation}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Avg - Admission Review Duration Over Time (by operation)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "transparent": true,
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "s",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 9,
-                "y": 60
-            },
-            "hiddenSeries": false,
-            "id": 54,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(rate(kyverno_admission_review_duration_seconds_sum{}[5m])) by (resource_kind) / sum(rate(kyverno_admission_review_duration_seconds_count{}[5m])) by (resource_kind)",
-                    "interval": "",
-                    "legendFormat": "Resource Kind: {{resource_kind}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Avg - Admission Review Duration Over Time (by resource kind)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "transparent": true,
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "s",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "blue",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "short"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 6,
-                "x": 18,
-                "y": 60
-            },
-            "id": 50,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "area",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_admission_requests_total{}[5m]))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Rate - Incoming Admission Requests (per 5m)",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "purple",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "s"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 6,
-                "x": 18,
-                "y": 64
-            },
-            "id": 55,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "area",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(kyverno_admission_review_duration_seconds_sum{})/sum(kyverno_admission_review_duration_seconds_count{})",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Avg - Overall Admission Review Duration",
-            "type": "stat"
-        },
-        {
-            "collapsed": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {},
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 68
-            },
-            "id": 8,
-            "panels": [],
-            "title": "Policy Changes",
-            "type": "row"
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 0,
-                "y": 69
-            },
-            "hiddenSeries": false,
-            "id": 10,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:1487",
-                    "alias": "Change type: created",
-                    "color": "#5794F2"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_changes_total{}[5m])) by (policy_change_type)",
-                    "interval": "",
-                    "legendFormat": "Change type: {{policy_change_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Policy Changes Over Time (by change type)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "transparent": true,
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 9,
-                "y": 69
-            },
-            "hiddenSeries": false,
-            "id": 13,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:1679",
-                    "alias": "cluster",
-                    "color": "#F2495C"
-                },
-                {
-                    "$$hashKey": "object:1769"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_changes_total{}[5m])) by (policy_type)",
-                    "interval": "",
-                    "legendFormat": "{{policy_type}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Policy Changes Over Time (by policy type)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "orange",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "short"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 6,
-                "x": 18,
-                "y": 69
-            },
-            "id": 49,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_policy_changes_total{}[24h]))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Total Policy Changes (Last 24 Hours)",
-            "type": "stat"
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "red",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "short"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 4,
-                "w": 6,
-                "x": 18,
-                "y": 73
-            },
-            "id": 48,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "area",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(rate(kyverno_policy_changes_total{}[5m]))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Rate - Policy Changes Happening (last 5m)",
-            "type": "stat"
-        },
-        {
-            "collapsed": false,
-            "datasource": null,
-            "gridPos": {
-                "h": 1,
-                "w": 24,
-                "x": 0,
-                "y": 77
-            },
-            "id": 44,
-            "panels": [],
-            "title": "Admission Requests",
-            "type": "row"
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 0,
-                "y": 78
-            },
-            "hiddenSeries": false,
-            "id": 45,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:1487",
-                    "alias": "Change type: created",
-                    "color": "#5794F2"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_admission_requests_total{}[5m])) by (resource_request_operation)",
-                    "interval": "",
-                    "legendFormat": "Resource Operation: {{resource_request_operation}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Admission Requests (by operation)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "transparent": true,
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "aliasColors": {},
-            "bars": false,
-            "dashLength": 10,
-            "dashes": false,
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fill": 1,
-            "fillGradient": 0,
-            "gridPos": {
-                "h": 8,
-                "w": 9,
-                "x": 9,
-                "y": 78
-            },
-            "hiddenSeries": false,
-            "id": 46,
-            "legend": {
-                "alignAsTable": true,
-                "avg": false,
-                "current": true,
-                "max": true,
-                "min": true,
-                "rightSide": false,
-                "show": true,
-                "total": false,
-                "values": true
-            },
-            "lines": true,
-            "linewidth": 1,
-            "nullPointMode": "null",
-            "options": {
-                "alertThreshold": true
-            },
-            "percentage": false,
-            "pluginVersion": "8.1.0",
-            "pointradius": 2,
-            "points": false,
-            "renderer": "flot",
-            "seriesOverrides": [
-                {
-                    "$$hashKey": "object:1487",
-                    "alias": "Change type: created",
-                    "color": "#5794F2"
-                }
-            ],
-            "spaceLength": 10,
-            "stack": false,
-            "steppedLine": false,
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_admission_requests_total{}[5m])) by (resource_kind)",
-                    "interval": "",
-                    "legendFormat": "Resource Kind: {{resource_kind}}",
-                    "refId": "A"
-                }
-            ],
-            "thresholds": [],
-            "timeFrom": null,
-            "timeRegions": [],
-            "timeShift": null,
-            "title": "Admission Requests (by resource kind)",
-            "tooltip": {
-                "shared": true,
-                "sort": 0,
-                "value_type": "individual"
-            },
-            "transparent": true,
-            "type": "graph",
-            "xaxis": {
-                "buckets": null,
-                "mode": "time",
-                "name": null,
-                "show": true,
-                "values": []
-            },
-            "yaxes": [
-                {
-                    "$$hashKey": "object:218",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                },
-                {
-                    "$$hashKey": "object:219",
-                    "format": "short",
-                    "label": null,
-                    "logBase": 1,
-                    "max": null,
-                    "min": null,
-                    "show": true
-                }
-            ],
-            "yaxis": {
-                "align": false,
-                "alignLevel": null
-            }
-        },
-        {
-            "datasource": "${DS_PROMETHEUS_KYVERNO}",
-            "fieldConfig": {
-                "defaults": {
-                    "color": {
-                        "mode": "thresholds"
-                    },
-                    "mappings": [],
-                    "thresholds": {
-                        "mode": "absolute",
-                        "steps": [
-                            {
-                                "color": "semi-dark-green",
-                                "value": null
-                            }
-                        ]
-                    },
-                    "unit": "short"
-                },
-                "overrides": []
-            },
-            "gridPos": {
-                "h": 8,
-                "w": 6,
-                "x": 18,
-                "y": 78
-            },
-            "id": 47,
-            "options": {
-                "colorMode": "value",
-                "graphMode": "none",
-                "justifyMode": "auto",
-                "orientation": "auto",
-                "reduceOptions": {
-                    "calcs": [
-                        "lastNotNull"
-                    ],
-                    "fields": "",
-                    "values": false
-                },
-                "text": {},
-                "textMode": "auto"
-            },
-            "pluginVersion": "8.1.0",
-            "targets": [
-                {
-                    "exemplar": true,
-                    "expr": "sum(increase(kyverno_admission_requests_total{}[24h]))",
-                    "interval": "",
-                    "legendFormat": "",
-                    "refId": "A"
-                }
-            ],
-            "title": "Total Admission Requests (Last 24 Hours)",
-            "type": "stat"
-        }
-    ],
-    "refresh": false,
-    "schemaVersion": 30,
-    "style": "dark",
-    "tags": [],
-    "templating": {
-        "list": [
-            {
-                "hide": 0,
-                "label": "datasource",
-                "name": "DS_PROMETHEUS_KYVERNO",
-                "options": [],
-                "query": "prometheus",
-                "refresh": 1,
-                "regex": "",
-                "type": "datasource"
-            }
-        ]
-    },
-    "time": {
-        "from": "now-1h",
-        "to": "now"
-    },
-    "timepicker": {},
-    "timezone": "",
-    "title": "Kyverno",
-    "folder": "Kyverno",
-    "uid": "Rg8lWBG7k",
-    "version": "1.4.3"
-}
\ No newline at end of file
diff --git a/charts/kyverno/templates/NOTES.txt b/charts/kyverno/templates/NOTES.txt
index 7955e169e5a0..c282d5865ce4 100644
--- a/charts/kyverno/templates/NOTES.txt
+++ b/charts/kyverno/templates/NOTES.txt
@@ -1,16 +1,46 @@
 Chart version: {{ .Chart.Version }}
-Kyverno version: {{ default .Chart.AppVersion (default .Values.image.tag .Values.initImage.tag) }}
+Kyverno version: {{ default .Chart.AppVersion (default .Values.admissionController.container.image.tag .Values.admissionController.initContainer.image.tag) }}
 
 Thank you for installing {{ .Chart.Name }}! Your release is named {{ .Release.Name }}.
 
-{{- if not .Values.replicaCount }}
-⚠️  WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
-{{- else if lt (int .Values.replicaCount) 3 }}
-⚠️  WARNING: Setting replicas count below 3 means Kyverno is not running in high availability mode.
+The following components have been installed in your cluster:
+{{- if .Values.crds.install }}
+- CRDs
+{{- end }}
+- Admission controller
+{{- if .Values.reportsController.enabled }}
+- Reports controller
+{{- end }}
+{{- if .Values.cleanupController.enabled }}
+- Cleanup controller
+{{- end }}
+{{- if .Values.backgroundController.enabled }}
+- Background controller
+{{- end }}
+{{- if .Values.grafana.enabled }}
+- Grafana dashboard
 {{- end }}
 
-💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
+{{ if not .Values.admissionController.replicas }}
+⚠️  WARNING: Setting the admission controller replica count below 2 means Kyverno is not running in high availability mode.
+{{- else if lt (int .Values.admissionController.replicas) 2 }}
+⚠️  WARNING: Setting the admission controller replica count below 2 means Kyverno is not running in high availability mode.
+{{- end }}
 
 {{- if semverCompare "<1.21.0" .Capabilities.KubeVersion.Version }}
 ⚠️  WARNING: The minimal Kubernetes version officially supported by Kyverno is 1.21. Earlier versions are untested and Kyverno is not guaranteed to work with Kubernetes {{ .Capabilities.KubeVersion.Version }}.
 {{- end }}
+
+{{- with .Values.config.matchConditions }}
+⚠️  WARNING: Match conditions require a Kubernetes 1.27+ cluster with `AdmissionWebhookMatchConditions` feature gate enabled.
+{{- end }}
+
+{{- with .Values.features.generateValidatingAdmissionPolicy.enabled }}
+⚠️  WARNING: Generating ValidatingAdmissionPolicy requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
+{{- end }}
+
+{{- with .Values.features.validatingAdmissionPolicyReports.enabled }}
+⚠️  WARNING: Generating reports from ValidatingAdmissionPolicies requires a Kubernetes 1.27+ cluster with `ValidatingAdmissionPolicy` feature gate and `admissionregistration.k8s.io` API group enabled.
+{{- end }}
+
+💡 Note: There is a trade-off when deciding which approach to take regarding Namespace exclusions. Please see the documentation at https://kyverno.io/docs/installation/#security-vs-operability to understand the risks.
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index b3354e960c24..48803c82e152 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -1,204 +1,94 @@
 {{/* vim: set filetype=mustache: */}}
 
-{{/* Expand the name of the chart. */}}
-{{- define "kyverno.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-{{/*
-Create a default fully qualified app name.
-We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
-If release name contains chart name it will be used as a full name.
-*/}}
-{{- define "kyverno.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- define "kyverno.chartVersion" -}}
+{{- if .Values.templating.enabled -}}
+  {{- required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" -}}
 {{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+  {{- .Chart.Version | replace "+" "_" -}}
 {{- end -}}
 {{- end -}}
 
-{{/* Create chart name and version as used by the chart label. */}}
-{{- define "kyverno.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- define "kyverno.features.flags" -}}
+{{- $flags := list -}}
+{{- with .admissionReports -}}
+  {{- $flags = append $flags (print "--admissionReports=" .enabled) -}}
+  {{- with .backPressureThreshold -}}
+    {{- $flags = append $flags (print "--maxAdmissionReports=" .) -}}
+  {{- end -}}
 {{- end -}}
-
-{{/* Helm labels */}}
-{{- define "kyverno.helmLabels" -}}
-{{- if not .Values.templating.enabled -}}
-helm.sh/chart: {{ template "kyverno.chart" . }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .aggregateReports -}}
+  {{- $flags = append $flags (print "--aggregateReports=" .enabled) -}}
 {{- end -}}
+{{- with .policyReports -}}
+  {{- $flags = append $flags (print "--policyReports=" .enabled) -}}
 {{- end -}}
-
-{{/* Version labels */}}
-{{- define "kyverno.versionLabels" -}}
-{{- if .Values.templating.enabled -}}
-app.kubernetes.io/version: {{ required "templating.version is required when templating.enabled is true" .Values.templating.version | replace "+" "_" }}
-{{- else -}}
-app.kubernetes.io/version: {{ .Chart.Version | replace "+" "_" }}
+{{- with .validatingAdmissionPolicyReports -}}
+  {{- $flags = append $flags (print "--validatingAdmissionPolicyReports=" .enabled) -}}
 {{- end -}}
+{{- with .autoUpdateWebhooks -}}
+  {{- $flags = append $flags (print "--autoUpdateWebhooks=" .enabled) -}}
 {{- end -}}
-
-{{/* CRD labels */}}
-{{- define "kyverno.crdLabels" -}}
-app.kubernetes.io/component: kyverno
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.matchLabels" .) }}
-{{ . }}
-{{- end }}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
+{{- with .backgroundScan -}}
+  {{- $flags = append $flags (print "--backgroundScan=" .enabled) -}}
+  {{- $flags = append $flags (print "--backgroundScanWorkers=" .backgroundScanWorkers) -}}
+  {{- $flags = append $flags (print "--backgroundScanInterval=" .backgroundScanInterval) -}}
+  {{- $flags = append $flags (print "--skipResourceFilters=" .skipResourceFilters) -}}
 {{- end -}}
-
-{{/* Helm required labels */}}
-{{- define "kyverno.labels" -}}
-app.kubernetes.io/component: kyverno
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.matchLabels" .) }}
-{{ . }}
-{{- end }}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
-{{- if .Values.customLabels }}
-{{ toYaml .Values.customLabels }}
-{{- end }}
+{{- with .configMapCaching -}}
+  {{- $flags = append $flags (print "--enableConfigMapCaching=" .enabled) -}}
 {{- end -}}
-
-{{/* Helm required labels */}}
-{{- define "kyverno.test-labels" -}}
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-app: kyverno
-app.kubernetes.io/component: kyverno
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/name: {{ template "kyverno.name" . }}-test
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-app.kubernetes.io/version: "{{ .Chart.Version | replace "+" "_" }}"
+{{- with .deferredLoading -}}
+  {{- $flags = append $flags (print "--enableDeferredLoading=" .enabled) -}}
 {{- end -}}
-
-{{/* matchLabels */}}
-{{- define "kyverno.matchLabels" -}}
-{{- if .Values.templating.enabled -}}
-app: kyverno
-{{- end }}
-app.kubernetes.io/name: {{ template "kyverno.name" . }}
-{{- if not .Values.templating.enabled }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-{{- end }}
+{{- with .dumpPayload -}}
+  {{- $flags = append $flags (print "--dumpPayload=" .enabled) -}}
 {{- end -}}
-
-{{/* Get the config map name. */}}
-{{- define "kyverno.configMapName" -}}
-{{- printf "%s" (default (include "kyverno.fullname" .) .Values.config.existingConfig) -}}
+{{- with .forceFailurePolicyIgnore -}}
+  {{- $flags = append $flags (print "--forceFailurePolicyIgnore=" .enabled) -}}
 {{- end -}}
-
-{{/* Get the metrics config map name. */}}
-{{- define "kyverno.metricsConfigMapName" -}}
-{{- printf "%s" (default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.config.existingMetricsConfig) -}}
+{{- with .generateValidatingAdmissionPolicy -}}
+  {{- $flags = append $flags (print "--generateValidatingAdmissionPolicy=" .enabled) -}}
 {{- end -}}
-
-{{/* Get the namespace name. */}}
-{{- define "kyverno.namespace" -}}
-{{- if .Values.namespace -}}
-    {{- .Values.namespace -}}
-{{- else -}}
-    {{- .Release.Namespace -}}
+{{- with .globalContext -}}
+  {{- $flags = append $flags (print "--maxAPICallResponseLength=" (int .maxApiCallResponseLength)) -}}
 {{- end -}}
+{{- with .logging -}}
+  {{- $flags = append $flags (print "--loggingFormat=" .format) -}}
+  {{- $flags = append $flags (print "--v=" (join "," .verbosity)) -}}
 {{- end -}}
-
-{{/* Create the name of the service to use */}}
-{{- define "kyverno.serviceName" -}}
-{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- with .omitEvents -}}
+  {{- with .eventTypes -}}
+    {{- $flags = append $flags (print "--omitEvents=" (join "," .)) -}}
+  {{- end -}}
 {{- end -}}
-
-{{/* Create the name of the service account to use */}}
-{{- define "kyverno.serviceAccountName" -}}
-{{- if .Values.rbac.serviceAccount.create -}}
-    {{ default (include "kyverno.fullname" .) .Values.rbac.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.rbac.serviceAccount.name }}
+{{- with .policyExceptions -}}
+  {{- $flags = append $flags (print "--enablePolicyException=" .enabled) -}}
+  {{- with .namespace -}}
+    {{- $flags = append $flags (print "--exceptionNamespace=" .) -}}
+  {{- end -}}
 {{- end -}}
+{{- with .protectManagedResources -}}
+  {{- $flags = append $flags (print "--protectManagedResources=" .enabled) -}}
 {{- end -}}
-
-{{/* Create the default PodDisruptionBudget to use */}}
-{{- define "kyverno.podDisruptionBudget.spec" -}}
-{{- if and .Values.podDisruptionBudget.minAvailable .Values.podDisruptionBudget.maxUnavailable }}
-{{- fail "Cannot set both .Values.podDisruptionBudget.minAvailable and .Values.podDisruptionBudget.maxUnavailable" -}}
-{{- end }}
-{{- if not .Values.podDisruptionBudget.maxUnavailable }}
-minAvailable: {{ default 1 .Values.podDisruptionBudget.minAvailable }}
-{{- end }}
-{{- if .Values.podDisruptionBudget.maxUnavailable }}
-maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
-{{- end }}
-{{- end }}
-
-{{- define "kyverno.securityContext" -}}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
-{{ toYaml (omit .Values.securityContext "seccompProfile") }}
-{{- else }}
-{{ toYaml .Values.securityContext }}
-{{- end }}
-{{- end }}
-
-{{- define "kyverno.testSecurityContext" -}}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
-{{ toYaml (omit .Values.testSecurityContext "seccompProfile") }}
-{{- else }}
-{{ toYaml .Values.testSecurityContext }}
-{{- end }}
-{{- end }}
-
-{{- define "kyverno.imagePullSecret" }}
-{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
-{{- end }}
-
-{{- define "kyverno.image" -}}
-  {{- if .image.registry -}}
-{{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
-  {{- else -}}
-{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- with .registryClient -}}
+  {{- $flags = append $flags (print "--allowInsecureRegistry=" .allowInsecure) -}}
+  {{- $flags = append $flags (print "--registryCredentialHelpers=" (join "," .credentialHelpers)) -}}
+{{- end -}}
+{{- with .ttlController -}}
+  {{- $flags = append $flags (print "--ttlReconciliationInterval=" .reconciliationInterval) -}}
+{{- end -}}
+{{- with .tuf -}}
+  {{- with .enabled -}}
+    {{- $flags = append $flags (print "--enableTuf=" .) -}}
   {{- end -}}
-{{- end }}
-
-{{- define "kyverno.resourceFilters" -}}
-{{- $resourceFilters := .Values.config.resourceFilters }}
-{{- if .Values.excludeKyvernoNamespace }}
-  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*,%s,*]" (include "kyverno.namespace" .)) }}
-{{- end }}
-{{- range $exclude := .Values.resourceFiltersExcludeNamespaces }}
-  {{- range $filter := $resourceFilters }}
-    {{- if (contains (printf ",%s," $exclude) $filter) }}
-      {{- $resourceFilters = without $resourceFilters $filter }}
-    {{- end }}
-  {{- end }}
-{{- end }}
-{{- tpl (join "" $resourceFilters) . }}
-{{- end }}
-
-{{- define "kyverno.webhooks" -}}
-{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
-{{- $newWebhook := list }}
-{{- range $webhook := .Values.config.webhooks }}
-  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
-  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
-  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
-  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
-{{- end }}
-{{- $newWebhook | toJson }}
-{{- end }}
+  {{- with .mirror -}}
+    {{- $flags = append $flags (print "--tufMirror=" .) -}}
+  {{- end -}}
+  {{- with .root -}}
+    {{- $flags = append $flags (print "--tufRoot=" .) -}}
+  {{- end -}}
+{{- end -}}
+{{- with $flags -}}
+  {{- toYaml . -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/kyverno/templates/_helpers/_deployment.tpl b/charts/kyverno/templates/_helpers/_deployment.tpl
new file mode 100644
index 000000000000..5898ed086801
--- /dev/null
+++ b/charts/kyverno/templates/_helpers/_deployment.tpl
@@ -0,0 +1,10 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.deployment.replicas" -}}
+  {{- if and (not (kindIs "invalid" .)) (not (kindIs "string" .)) -}}
+  {{- if eq (int .) 0 -}}
+    {{- fail "Kyverno does not support running with 0 replicas. Please provide a non-zero integer value." -}}
+  {{- end -}}
+  {{- end -}}
+  {{- . -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/_helpers/_flowcontrol.tpl b/charts/kyverno/templates/_helpers/_flowcontrol.tpl
new file mode 100644
index 000000000000..d6fb1077e361
--- /dev/null
+++ b/charts/kyverno/templates/_helpers/_flowcontrol.tpl
@@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.flowcontrol.apiVersion" -}}
+{{- if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1"  -}}
+  flowcontrol.apiserver.k8s.io/v1
+{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta3" -}}
+  flowcontrol.apiserver.k8s.io/v1beta3
+{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta2" -}}
+  flowcontrol.apiserver.k8s.io/v1beta2
+{{- else if .Capabilities.APIVersions.Has "flowcontrol.apiserver.k8s.io/v1beta1" -}}
+  flowcontrol.apiserver.k8s.io/v1beta1
+{{- else -}}
+  flowcontrol.apiserver.k8s.io/v1alpha1
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/_helpers/_image.tpl b/charts/kyverno/templates/_helpers/_image.tpl
new file mode 100644
index 000000000000..90f95d0c312e
--- /dev/null
+++ b/charts/kyverno/templates/_helpers/_image.tpl
@@ -0,0 +1,14 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.image" -}}
+{{- $tag := default .defaultTag .image.tag -}}
+{{- if not (typeIs "string" $tag) -}}
+  {{ fail "Image tags must be strings." }}
+{{- end -}}
+{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- if $imageRegistry -}}
+  {{- print $imageRegistry "/" (required "An image repository is required" .image.repository) ":" $tag -}}
+{{- else -}}
+  {{- print (required "An image repository is required" .image.repository) ":" $tag -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/_helpers/_labels.tpl b/charts/kyverno/templates/_helpers/_labels.tpl
new file mode 100644
index 000000000000..8207781121dc
--- /dev/null
+++ b/charts/kyverno/templates/_helpers/_labels.tpl
@@ -0,0 +1,43 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.labels.merge" -}}
+{{- $labels := dict -}}
+{{- range . -}}
+  {{- $labels = merge $labels (fromYaml .) -}}
+{{- end -}}
+{{- with $labels -}}
+  {{- toYaml $labels -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.helm" -}}
+{{- if not .Values.templating.enabled -}}
+helm.sh/chart: {{ template "kyverno.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.labels.version" -}}
+app.kubernetes.io/version: {{ template "kyverno.chartVersion" . }}
+{{- end -}}
+
+{{- define "kyverno.labels.common" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.helm" .)
+  (include "kyverno.labels.version" .)
+  (toYaml .Values.customLabels)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.matchLabels.common" -}}
+app.kubernetes.io/part-of: {{ template "kyverno.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "kyverno.labels.component" -}}
+app.kubernetes.io/component: {{ . }}
+{{- end -}}
+
+{{- define "kyverno.labels.name" -}}
+app.kubernetes.io/name: {{ . }}
+{{- end -}}
diff --git a/charts/kyverno/templates/_helpers/_names.tpl b/charts/kyverno/templates/_helpers/_names.tpl
new file mode 100644
index 000000000000..90ed08f6c13b
--- /dev/null
+++ b/charts/kyverno/templates/_helpers/_names.tpl
@@ -0,0 +1,26 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+  {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+  {{- $name := default .Chart.Name .Values.nameOverride -}}
+  {{- if contains $name .Release.Name -}}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.namespace" -}}
+{{ default .Release.Namespace .Values.namespaceOverride }}
+{{- end -}}
diff --git a/charts/kyverno/templates/_helpers/_pdb.tpl b/charts/kyverno/templates/_helpers/_pdb.tpl
new file mode 100644
index 000000000000..4d4af90599a8
--- /dev/null
+++ b/charts/kyverno/templates/_helpers/_pdb.tpl
@@ -0,0 +1,23 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.pdb.apiVersion" -}}
+{{- if .Values.apiVersionOverride.podDisruptionBudget -}}
+  {{- .Values.apiVersionOverride.podDisruptionBudget -}}
+{{- else if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
+  policy/v1
+{{- else -}}
+  policy/v1beta1
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.pdb.spec" -}}
+{{- if and .minAvailable .maxUnavailable -}}
+  {{- fail "Cannot set both .minAvailable and .maxUnavailable" -}}
+{{- end -}}
+{{- if not .maxUnavailable }}
+minAvailable: {{ default 1 .minAvailable }}
+{{- end }}
+{{- if .maxUnavailable }}
+maxUnavailable: {{ .maxUnavailable }}
+{{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/_templating/_helpers.tpl b/charts/kyverno/templates/_templating/_helpers.tpl
new file mode 100644
index 000000000000..36650be3db3f
--- /dev/null
+++ b/charts/kyverno/templates/_templating/_helpers.tpl
@@ -0,0 +1,8 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.templating.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.matchLabels.common" .)
+) -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/_templating/namespace.yaml b/charts/kyverno/templates/_templating/namespace.yaml
new file mode 100644
index 000000000000..b213c83fe008
--- /dev/null
+++ b/charts/kyverno/templates/_templating/namespace.yaml
@@ -0,0 +1,8 @@
+{{- if .Values.templating.enabled -}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ include "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.templating.labels" . | nindent 4 }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/_helpers.tpl b/charts/kyverno/templates/admission-controller/_helpers.tpl
new file mode 100644
index 000000000000..0be041a2ebb4
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/_helpers.tpl
@@ -0,0 +1,39 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.admission-controller.name" -}}
+{{ template "kyverno.name" . }}-admission-controller
+{{- end -}}
+
+{{- define "kyverno.admission-controller.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.admission-controller.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "admission-controller")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.roleName" -}}
+{{ include "kyverno.fullname" . }}:admission-controller
+{{- end -}}
+
+{{- define "kyverno.admission-controller.serviceAccountName" -}}
+{{- if .Values.admissionController.rbac.create -}}
+    {{ default (include "kyverno.admission-controller.name" .) .Values.admissionController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.admissionController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.serviceName" -}}
+{{- printf "%s-svc" (include "kyverno.fullname" .) | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "kyverno.admission-controller.caCertificatesConfigMapName" -}}
+{{ printf "%s-ca-certificates" (include "kyverno.admission-controller.name" .) }}
+{{- end -}}
\ No newline at end of file
diff --git a/charts/kyverno/templates/admission-controller/clusterrole.yaml b/charts/kyverno/templates/admission-controller/clusterrole.yaml
new file mode 100644
index 000000000000..25f1ade81a4d
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/clusterrole.yaml
@@ -0,0 +1,154 @@
+{{- if .Values.admissionController.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}:core
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+      {{- if .Values.features.generateValidatingAdmissionPolicy.enabled }}
+      - validatingadmissionpolicies
+      - validatingadmissionpolicybindings
+      {{- end }}
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+      - clusterroles
+      - rolebindings
+      - clusterrolebindings
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - policies
+      - policies/status
+      - clusterpolicies
+      - clusterpolicies/status
+      - updaterequests
+      - updaterequests/status
+      - globalcontextentries
+      - globalcontextentries/status
+      - policyexceptions
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - reports.kyverno.io
+    resources:
+      - ephemeralreports
+      - clusterephemeralreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - policyreports/status
+      - clusterpolicyreports
+      - clusterpolicyreports/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - subjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - update
+      - patch
+      - get
+      - list
+      - watch
+{{- with .Values.admissionController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.admissionController.rbac.clusterRole.extraResources }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" $ }}:additional
+  labels:
+    {{- include "kyverno.admission-controller.labels" $ | nindent 4 }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml b/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
new file mode 100644
index 000000000000..6272deec4d30
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.admissionController.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/configmap.yaml b/charts/kyverno/templates/admission-controller/configmap.yaml
new file mode 100644
index 000000000000..d0b2bf66e412
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/configmap.yaml
@@ -0,0 +1,12 @@
+{{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+data:
+  ca-certificates: |
+    {{ .Values.admissionController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/deployment.yaml b/charts/kyverno/templates/admission-controller/deployment.yaml
new file mode 100644
index 000000000000..6017e9ad23e7
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@@ -0,0 +1,265 @@
+{{- if not .Values.templating.debug -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.admissionController.replicas }}
+  revisionHistoryLimit: {{ .Values.admissionController.revisionHistoryLimit }}
+  {{- with .Values.admissionController.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.admission-controller.labels" . | nindent 8 }}
+        {{- with .Values.admissionController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.admissionController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.admissionController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.tolerations | default .Values.global.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.admissionController.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.admissionController.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.admissionController.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- if or .Values.admissionController.antiAffinity.enabled .Values.admissionController.podAffinity .Values.admissionController.nodeAffinity }}
+      affinity:
+        {{- if .Values.admissionController.antiAffinity.enabled }}
+        {{- with .Values.admissionController.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.admissionController.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.admissionController.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      initContainers:
+        {{- with .Values.admissionController.extraInitContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: kyverno-pre
+          image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.initContainer.image "defaultTag" (default .Chart.AppVersion .Values.admissionController.container.image.tag)) | quote }}
+          imagePullPolicy: {{ default .Values.admissionController.container.image.pullPolicy .Values.admissionController.initContainer.image.pullPolicy }}
+          args:
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
+              "logging"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.admissionController.initContainer.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+          {{- with .Values.admissionController.initContainer.resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.initContainer.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.admission-controller.name" . }}
+          - name: KYVERNO_SVC
+            value: {{ template "kyverno.admission-controller.serviceName" . }}
+          {{- with (concat .Values.global.extraEnvVars .Values.admissionController.initContainer.extraEnvVars) }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+      containers:
+        {{- with .Values.admissionController.extraContainers }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: kyverno
+          image: {{ include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.admissionController.container.image "defaultTag" .Chart.AppVersion) | quote }}
+          imagePullPolicy: {{ .Values.admissionController.container.image.pullPolicy }}
+          args:
+            - --caSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+            - --tlsSecretName={{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+            - --backgroundServiceAccountName=system:serviceaccount:{{ include "kyverno.namespace" . }}:{{ include "kyverno.background-controller.serviceAccountName" . }}
+            - --servicePort={{ .Values.admissionController.service.port }}
+            - --webhookServerPort={{ .Values.admissionController.webhookServer.port }}
+            {{- if .Values.admissionController.tracing.enabled }}
+            - --enableTracing
+            - --tracingAddress={{ .Values.admissionController.tracing.address }}
+            - --tracingPort={{ .Values.admissionController.tracing.port }}
+            {{- with .Values.admissionController.tracing.creds }}
+            - --tracingCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            - --disableMetrics={{ .Values.admissionController.metering.disabled }}
+            {{- if not .Values.admissionController.metering.disabled }}
+            - --otelConfig={{ .Values.admissionController.metering.config }}
+            - --metricsPort={{ .Values.admissionController.metering.port }}
+            {{- with .Values.admissionController.metering.collector }}
+            - --otelCollector={{ . }}
+            {{- end }}
+            {{- with .Values.admissionController.metering.creds }}
+            - --transportCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
+            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
+            {{- end }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.admissionController.featuresOverride)
+              "admissionReports"
+              "autoUpdateWebhooks"
+              "configMapCaching"
+              "deferredLoading"
+              "dumpPayload"
+              "forceFailurePolicyIgnore"
+              "generateValidatingAdmissionPolicy"
+              "globalContext"
+              "logging"
+              "omitEvents"
+              "policyExceptions"
+              "protectManagedResources"
+              "registryClient"
+              "tuf"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.admissionController.container.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+            {{ if .Values.admissionController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.admissionController.profiling.port }}
+            {{- end }}
+          {{- with .Values.admissionController.container.resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.container.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+          - containerPort: {{ .Values.admissionController.webhookServer.port }}
+            name: https
+            protocol: TCP
+          - containerPort: {{ .Values.admissionController.metering.port }}
+            name: metrics-port
+            protocol: TCP
+          {{ if .Values.admissionController.profiling.enabled }}
+          - containerPort: {{ .Values.admissionController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
+          env:
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+          - name: KYVERNO_SVC
+            value: {{ template "kyverno.admission-controller.serviceName" . }}
+          - name: TUF_ROOT
+            value: {{ .Values.admissionController.tufRootMountPath }}
+          {{- with (concat .Values.global.extraEnvVars .Values.admissionController.container.extraEnvVars) }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.admission-controller.name" . }}
+          {{- with .Values.admissionController.startupProbe }}
+          startupProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.livenessProbe }}
+          livenessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.admissionController.readinessProbe }}
+          readinessProbe:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.admissionController.tufRootMountPath }}
+              name: sigstore
+            {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }}
+            - name: ca-certificates
+              mountPath: /etc/ssl/certs/ca-certificates.crt
+              {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }}
+              subPath: ca-certificates.crt
+              {{- end }}
+            {{- end }}
+      volumes:
+      - name: sigstore
+        {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }}
+      {{- if or .Values.admissionController.caCertificates.data .Values.global.caCertificates.data }}
+      - name: ca-certificates
+        configMap:
+          name: {{ include "kyverno.admission-controller.caCertificatesConfigMapName" . }}
+          items:
+          - key: ca-certificates
+            path: ca-certificates.crt
+      {{- else if or .Values.admissionController.caCertificates.volume .Values.global.caCertificates.volume }}
+      {{- with (.Values.admissionController.caCertificates.volume | default .Values.global.caCertificates.volume) }}
+      - name: ca-certificates
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/flowschema.yaml b/charts/kyverno/templates/admission-controller/flowschema.yaml
new file mode 100644
index 000000000000..779eeefc43d7
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/flowschema.yaml
@@ -0,0 +1,222 @@
+{{- if .Values.admissionController.apiPriorityAndFairness }}
+apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
+kind: FlowSchema
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  priorityLevelConfiguration:
+    name: {{ template "kyverno.admission-controller.name" . }}
+  rules:
+  - resourceRules:
+    - apiGroups:
+        - admissionregistration.k8s.io
+      clusterScope: true
+      resources:
+        - mutatingwebhookconfigurations
+        - validatingwebhookconfigurations
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - rbac.authorization.k8s.io
+      clusterScope: true
+      resources:
+        - clusterroles
+        - clusterrolebindings
+      verbs:
+        - watch
+        - list
+    - apiGroups:
+        - rbac.authorization.k8s.io
+      namespaces:
+        - '*'
+      resources:
+        - roles
+        - rolebindings
+      verbs:
+        - watch
+        - list
+    - apiGroups:
+        - kyverno.io
+      clusterScope: true
+      resources:
+        - clusterpolicies
+        - clusterpolicies/status
+        - globalcontextentries
+        - globalcontextentries/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - kyverno.io
+      namespaces:
+        - '*'
+      resources:
+        - policies
+        - policies/status
+        - updaterequests
+        - updaterequests/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - reports.kyverno.io
+      clusterScope: true
+      resources:
+        - clusterephemeralreports
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - reports.kyverno.io
+      namespaces:
+        - '*'
+      resources:
+        - ephemeralreports
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - wgpolicyk8s.io
+      clusterScope: true
+      resources:
+        - clusterpolicyreports
+        - clusterpolicyreports/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - wgpolicyk8s.io
+      namespaces:
+        - '*'
+      resources:
+        - policyreports
+        - policyreports/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - ""
+        - events.k8s.io
+      namespaces:
+        - '*'
+      resources:
+        - events
+      verbs:
+        - create
+        - update
+        - patch
+    - apiGroups:
+        - authorization.k8s.io
+      clusterScope: true
+      resources:
+        - subjectaccessreviews
+      verbs:
+        - create
+    - apiGroups:
+        - '*'
+      namespaces:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - ''
+      namespaces:
+        - {{ template "kyverno.namespace" . }}
+      resources:
+        - secrets
+      verbs:
+        - get
+        - list
+        - watch
+        - create
+        - update
+    - apiGroups:
+        - ''
+      namespaces:
+        - {{ template "kyverno.namespace" . }}
+      resources:
+        - configmaps
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - coordination.k8s.io
+      namespaces:
+          - {{ template "kyverno.namespace" . }}
+      resources:
+        - leases
+      verbs:
+        - create
+        - delete
+        - get
+        - patch
+        - update
+    - apiGroups:
+        - apps
+      namespaces:
+          - {{ template "kyverno.namespace" . }}
+      resources:
+        - deployments
+        - deployments/scale
+      verbs:
+        - get
+        - list
+        - watch
+        - patch
+        - update
+    subjects:
+    - kind: ServiceAccount
+      serviceAccount:
+        name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+        namespace: {{ template "kyverno.namespace" . }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/templates/admission-controller/networkpolicy.yaml b/charts/kyverno/templates/admission-controller/networkpolicy.yaml
new file mode 100644
index 000000000000..67219e19f5ce
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/networkpolicy.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.admissionController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.admissionController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.admissionController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: 9443 # webhook access
+        # Allow prometheus scrapes for metrics
+        {{- if .Values.admissionController.metricsService.create }}
+        - protocol: TCP
+          port: {{ .Values.admissionController.metricsService.port }}
+        {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml
new file mode 100644
index 000000000000..d1bfbeba2a68
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/poddisruptionbudget.yaml
@@ -0,0 +1,14 @@
+{{- if or .Values.admissionController.podDisruptionBudget.enabled (gt (int .Values.admissionController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  {{- include "kyverno.pdb.spec" .Values.admissionController.podDisruptionBudget | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml b/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml
new file mode 100644
index 000000000000..c248da9eac3a
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/prioritylevelconfiguration.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.admissionController.apiPriorityAndFairness }}
+apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
+kind: PriorityLevelConfiguration
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+{{- with .Values.admissionController.priorityLevelConfigurationSpec }}
+spec:
+  {{- tpl (toYaml .) $ | nindent 2 }}
+{{- end }}
+{{- end }}
diff --git a/charts/kyverno/templates/admission-controller/role.yaml b/charts/kyverno/templates/admission-controller/role.yaml
new file mode 100644
index 000000000000..b5d621786cee
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/role.yaml
@@ -0,0 +1,62 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - delete
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+      - delete
+      - get
+      - patch
+      - update
+  # Allow update of Kyverno deployment annotations
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      {{- if .Values.webhooksCleanup.enabled }}
+      {{- if not .Values.templating.enabled }}
+      - deployments/scale
+      {{- end }}
+      {{- end }}
+    verbs:
+      - get
+      - list
+      - watch
+      {{- if .Values.webhooksCleanup.enabled }}
+      {{- if not .Values.templating.enabled }}
+      - patch
+      - update
+      {{- end }}
+      {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/rolebinding.yaml b/charts/kyverno/templates/admission-controller/rolebinding.yaml
new file mode 100644
index 000000000000..b2045b17b6b5
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.admissionController.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.admission-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/secret.yaml b/charts/kyverno/templates/admission-controller/secret.yaml
new file mode 100644
index 000000000000..1c6b7182a434
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/secret.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.admissionController.createSelfSignedCert -}}
+{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
+{{- $svcName := (printf "%s.%s.svc" (include "kyverno.admission-controller.serviceName" .) (include "kyverno.namespace" .)) -}}
+{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $ca.Key | b64enc }}
+  tls.crt: {{ $ca.Cert | b64enc }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  annotations:
+    self-signed-cert: "true"
+type: kubernetes.io/tls
+data:
+  tls.key: {{ $cert.Key | b64enc }}
+  tls.crt: {{ $cert.Cert | b64enc }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/service.yaml b/charts/kyverno/templates/admission-controller/service.yaml
new file mode 100644
index 000000000000..597b79fff08d
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/service.yaml
@@ -0,0 +1,70 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.admissionController.service.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.service.port }}
+    targetPort: https
+    protocol: TCP
+    name: https
+    {{- if and (eq .Values.admissionController.service.type "NodePort") (not (empty .Values.admissionController.service.nodePort)) }}
+    nodePort: {{ .Values.admissionController.service.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.service.type }}
+{{- if .Values.admissionController.metricsService.create }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.admissionController.metricsService.annotations }}
+  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.metricsService.port }}
+    targetPort: {{ .Values.admissionController.metering.port }}
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.admissionController.metricsService.type "NodePort") (not (empty .Values.admissionController.metricsService.nodePort)) }}
+    nodePort: {{ .Values.admissionController.metricsService.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.metricsService.type }}
+{{- end -}}
+{{- if .Values.admissionController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceName" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.admissionController.profiling.port }}
+    targetPort: {{ .Values.admissionController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.admissionController.profiling.serviceType "NodePort") (not (empty .Values.admissionController.profiling.nodePort)) }}
+    nodePort: {{ .Values.admissionController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.admission-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.admissionController.profiling.serviceType }}
+{{- end -}}
diff --git a/charts/kyverno/templates/admission-controller/serviceaccount.yaml b/charts/kyverno/templates/admission-controller/serviceaccount.yaml
new file mode 100644
index 000000000000..e78f6bff4aa1
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.admissionController.rbac.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.admissionController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/charts/kyverno/templates/admission-controller/servicemonitor.yaml b/charts/kyverno/templates/admission-controller/servicemonitor.yaml
new file mode 100644
index 000000000000..d97ab2f3855c
--- /dev/null
+++ b/charts/kyverno/templates/admission-controller/servicemonitor.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.admissionController.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kyverno.admission-controller.name" . }}
+  {{- if .Values.admissionController.serviceMonitor.namespace }}
+  namespace: {{ .Values.admissionController.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+    {{- with .Values.admissionController.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.admissionController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.admissionController.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.admissionController.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.admissionController.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+    {{- with .Values.admissionController.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.admissionController.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/aggregateroles.yaml b/charts/kyverno/templates/aggregateroles.yaml
deleted file mode 100644
index 99896fe4ac94..000000000000
--- a/charts/kyverno/templates/aggregateroles.yaml
+++ /dev/null
@@ -1,111 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-policies
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - policies
-  - clusterpolicies
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-policyreport
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - wgpolicyk8s.io
-    resources:
-      - policyreports
-      - clusterpolicyreports
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-reports
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - kyverno.io
-  resources:
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-generaterequest
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - generaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:admin-updaterequest
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - kyverno.io
-  resources:
-  - updaterequests
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-{{- end }}
diff --git a/charts/kyverno/templates/background-controller/_helpers.tpl b/charts/kyverno/templates/background-controller/_helpers.tpl
new file mode 100644
index 000000000000..6b75cb329e7e
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/_helpers.tpl
@@ -0,0 +1,44 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.background-controller.name" -}}
+{{ template "kyverno.name" . }}-background-controller
+{{- end -}}
+
+{{- define "kyverno.background-controller.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.background-controller.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "background-controller")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.image" -}}
+{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- if $imageRegistry -}}
+  {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- else -}}
+  {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.roleName" -}}
+{{ include "kyverno.fullname" . }}:background-controller
+{{- end -}}
+
+{{- define "kyverno.background-controller.serviceAccountName" -}}
+{{- if .Values.backgroundController.rbac.create -}}
+    {{ default (include "kyverno.background-controller.name" .) .Values.backgroundController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.backgroundController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.background-controller.caCertificatesConfigMapName" -}}
+{{ printf "%s-ca-certificates" (include "kyverno.background-controller.name" .) }}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/clusterrole.yaml b/charts/kyverno/templates/background-controller/clusterrole.yaml
new file mode 100644
index 000000000000..2c47558136d8
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/clusterrole.yaml
@@ -0,0 +1,82 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        {{- include "kyverno.background-controller.matchLabels" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}:core
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - policies
+      - clusterpolicies
+      - policyexceptions
+      - updaterequests
+      - updaterequests/status
+      - globalcontextentries
+      - globalcontextentries/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - update
+      - watch
+{{- with .Values.backgroundController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.backgroundController.rbac.clusterRole.extraResources }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" $ }}:additional
+  labels:
+    {{- include "kyverno.background-controller.labels" $ | nindent 4 }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/charts/kyverno/templates/background-controller/clusterrolebinding.yaml b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
new file mode 100644
index 000000000000..7dcbfffe6c84
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.background-controller.roleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/configmap.yaml b/charts/kyverno/templates/background-controller/configmap.yaml
new file mode 100644
index 000000000000..6979ca652a6a
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/configmap.yaml
@@ -0,0 +1,12 @@
+{{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+data:
+  ca-certificates: |
+    {{ .Values.backgroundController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/deployment.yaml b/charts/kyverno/templates/background-controller/deployment.yaml
new file mode 100644
index 000000000000..acbaf7f7c138
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/deployment.yaml
@@ -0,0 +1,187 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if not .Values.templating.debug -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.backgroundController.replicas }}
+  revisionHistoryLimit: {{ .Values.backgroundController.revisionHistoryLimit }}
+  {{- with .Values.backgroundController.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.background-controller.labels" . | nindent 8 }}
+        {{- with .Values.backgroundController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.backgroundController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.backgroundController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.tolerations | default .Values.global.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.backgroundController.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.backgroundController.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.backgroundController.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- if or .Values.backgroundController.antiAffinity.enabled .Values.backgroundController.podAffinity .Values.backgroundController.nodeAffinity }}
+      affinity:
+        {{- if .Values.backgroundController.antiAffinity.enabled }}
+        {{- with .Values.backgroundController.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.backgroundController.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.backgroundController.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.background-controller.serviceAccountName" . }}
+      containers:
+        - name: controller
+          image: {{ include "kyverno.background-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.backgroundController.image "defaultTag" .Chart.AppVersion) | quote }}
+          imagePullPolicy: {{ .Values.backgroundController.image.pullPolicy }}
+          ports:
+          - containerPort: {{ .Values.backgroundController.server.port }}
+            name: https
+            protocol: TCP
+          - containerPort: {{ .Values.backgroundController.metering.port }}
+            name: metrics
+            protocol: TCP
+          {{ if .Values.backgroundController.profiling.enabled }}
+          - containerPort: {{ .Values.backgroundController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
+          args:
+            {{- if .Values.backgroundController.tracing.enabled }}
+            - --enableTracing
+            - --tracingAddress={{ .Values.backgroundController.tracing.address }}
+            - --tracingPort={{ .Values.backgroundController.tracing.port }}
+            {{- with .Values.backgroundController.tracing.creds }}
+            - --tracingCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            - --disableMetrics={{ .Values.backgroundController.metering.disabled }}
+            {{- if not .Values.backgroundController.metering.disabled }}
+            - --otelConfig={{ .Values.backgroundController.metering.config }}
+            - --metricsPort={{ .Values.backgroundController.metering.port }}
+            {{- with .Values.backgroundController.metering.collector }}
+            - --otelCollector={{ . }}
+            {{- end }}
+            {{- with .Values.backgroundController.metering.creds }}
+            - --transportCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
+            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
+            {{- end }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.backgroundController.featuresOverride)
+              "configMapCaching"
+              "deferredLoading"
+              "globalContext"
+              "logging"
+              "omitEvents"
+              "policyExceptions"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.backgroundController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+            {{ if .Values.backgroundController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.backgroundController.profiling.port }}
+            {{- end }}
+          env:
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.background-controller.serviceAccountName" . }}
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.background-controller.name" . }}
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with (concat .Values.global.extraEnvVars .Values.backgroundController.extraEnvVars) }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.backgroundController.resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.backgroundController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }}
+          volumeMounts:
+            - name: ca-certificates
+              mountPath: /etc/ssl/certs/ca-certificates.crt
+              {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }}
+              subPath: ca-certificates.crt
+              {{- end }}
+          {{- end }}
+      {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }}
+      volumes:
+      {{- if or .Values.backgroundController.caCertificates.data .Values.global.caCertificates.data }}
+      - name: ca-certificates
+        configMap:
+          name: {{ include "kyverno.background-controller.caCertificatesConfigMapName" . }}
+          items:
+          - key: ca-certificates
+            path: ca-certificates.crt
+      {{- else if or .Values.backgroundController.caCertificates.volume .Values.global.caCertificates.volume }}
+      {{- with (.Values.backgroundController.caCertificates.volume | default .Values.global.caCertificates.volume) }}
+      - name: ca-certificates
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/networkpolicy.yaml b/charts/kyverno/templates/background-controller/networkpolicy.yaml
new file mode 100644
index 000000000000..660bbfd490d4
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/networkpolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.networkPolicy.enabled -}}
+{{- if .Values.backgroundController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.backgroundController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.backgroundController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.backgroundController.metricsService.port }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml
new file mode 100644
index 000000000000..201f7cbb8c2c
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/poddisruptionbudget.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if or .Values.backgroundController.podDisruptionBudget.enabled (gt (int .Values.backgroundController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  {{- include "kyverno.pdb.spec" .Values.backgroundController.podDisruptionBudget | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/role.yaml b/charts/kyverno/templates/background-controller/role.yaml
new file mode 100644
index 000000000000..c18d1186dff3
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/role.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - delete
+      - get
+      - patch
+      - update
+    resourceNames:
+      - kyverno-background-controller
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/rolebinding.yaml b/charts/kyverno/templates/background-controller/rolebinding.yaml
new file mode 100644
index 000000000000..1eef40c70816
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.background-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.background-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/service.yaml b/charts/kyverno/templates/background-controller/service.yaml
new file mode 100644
index 000000000000..876f228b898e
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/service.yaml
@@ -0,0 +1,50 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.metricsService.create -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  {{- with .Values.backgroundController.metricsService.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.backgroundController.metricsService.port }}
+    targetPort: {{ .Values.backgroundController.metering.port }}
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.backgroundController.metricsService.type "NodePort") (not (empty .Values.backgroundController.metricsService.nodePort)) }}
+    nodePort: {{ .Values.backgroundController.metricsService.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.backgroundController.metricsService.type }}
+{{- end -}}
+{{- end -}}
+{{- if .Values.backgroundController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.backgroundController.profiling.port }}
+    targetPort: {{ .Values.backgroundController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.backgroundController.profiling.serviceType "NodePort") (not (empty .Values.backgroundController.profiling.nodePort)) }}
+    nodePort: {{ .Values.backgroundController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.background-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.backgroundController.profiling.serviceType }}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/serviceaccount.yaml b/charts/kyverno/templates/background-controller/serviceaccount.yaml
new file mode 100644
index 000000000000..b291b7e9abdf
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.background-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+  {{- with .Values.backgroundController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/background-controller/servicemonitor.yaml b/charts/kyverno/templates/background-controller/servicemonitor.yaml
new file mode 100644
index 000000000000..67c38a22d69f
--- /dev/null
+++ b/charts/kyverno/templates/background-controller/servicemonitor.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.backgroundController.enabled -}}
+{{- if .Values.backgroundController.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kyverno.background-controller.name" . }}
+  {{- if .Values.backgroundController.serviceMonitor.namespace }}
+  namespace: {{ .Values.backgroundController.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kyverno.background-controller.labels" . | nindent 4 }}
+    {{- with .Values.backgroundController.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "kyverno.background-controller.matchLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.backgroundController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.backgroundController.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.backgroundController.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.backgroundController.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+    {{- with .Values.backgroundController.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.backgroundController.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/_helpers.tpl b/charts/kyverno/templates/cleanup-controller/_helpers.tpl
index 4bad77b037c6..f8da54e1929a 100644
--- a/charts/kyverno/templates/cleanup-controller/_helpers.tpl
+++ b/charts/kyverno/templates/cleanup-controller/_helpers.tpl
@@ -5,37 +5,32 @@
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.labels" -}}
-app.kubernetes.io/part-of: {{ template "kyverno.name" . }}
-{{- with (include "kyverno.helmLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.versionLabels" .) }}
-{{ . }}
-{{- end }}
-{{- with (include "kyverno.cleanup-controller.matchLabels" .) }}
-{{ . }}
-{{- end }}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.cleanup-controller.matchLabels" .)
+) -}}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.matchLabels" -}}
-app.kubernetes.io/component: cleanup-controller
-app.kubernetes.io/name: {{ template "kyverno.cleanup-controller.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "cleanup-controller")
+) -}}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.image" -}}
-{{- if .image.registry -}}
-  {{ .image.registry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- if $imageRegistry -}}
+  {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
 {{- else -}}
   {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
 {{- end -}}
 {{- end -}}
 
 {{- define "kyverno.cleanup-controller.roleName" -}}
-{{ .Release.Name }}:cleanup-controller
+{{ include "kyverno.fullname" . }}:cleanup-controller
 {{- end -}}
 
-{{/* Create the name of the service account to use */}}
 {{- define "kyverno.cleanup-controller.serviceAccountName" -}}
 {{- if .Values.cleanupController.rbac.create -}}
     {{ default (include "kyverno.cleanup-controller.name" .) .Values.cleanupController.rbac.serviceAccount.name }}
@@ -43,25 +38,3 @@ app.kubernetes.io/instance: {{ .Release.Name }}
     {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.cleanupController.rbac.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
-
-{{- define "kyverno.cleanup-controller.securityContext" -}}
-{{- if semverCompare "<1.19" .Capabilities.KubeVersion.Version }}
-{{ toYaml (omit .Values.cleanupController.securityContext "seccompProfile") }}
-{{- else }}
-{{ toYaml .Values.cleanupController.securityContext }}
-{{- end }}
-{{- end }}
-
-{{/* Create the default PodDisruptionBudget to use */}}
-{{- define "kyverno.cleanup-controller.podDisruptionBudget.spec" -}}
-{{- if and .Values.cleanupController.podDisruptionBudget.minAvailable .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-{{- fail "Cannot set both .Values.cleanupController.podDisruptionBudget.minAvailable and .Values.cleanupController.podDisruptionBudget.maxUnavailable" -}}
-{{- end }}
-{{- if not .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-minAvailable: {{ default 1 .Values.cleanupController.podDisruptionBudget.minAvailable }}
-{{- end }}
-{{- if .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-maxUnavailable: {{ .Values.cleanupController.podDisruptionBudget.maxUnavailable }}
-{{- end }}
-{{- end }}
-
diff --git a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
index 115a690124af..4584dba1c57e 100644
--- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
@@ -18,6 +18,12 @@ metadata:
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
 rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
   - apiGroups:
       - admissionregistration.k8s.io
     resources:
@@ -42,8 +48,14 @@ rules:
     resources:
       - clustercleanuppolicies
       - cleanuppolicies
-      - clustercleanuppolicies/*
-      - cleanuppolicies/*
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - globalcontextentries
+      - globalcontextentries/status
     verbs:
       - create
       - delete
@@ -54,23 +66,35 @@ rules:
       - watch
       - deletecollection
   - apiGroups:
-      - batch
+      - kyverno.io
     resources:
-      - cronjobs
+      - clustercleanuppolicies/status
+      - cleanuppolicies/status
+    verbs:
+      - update
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
     verbs:
-      - create
-      - delete
       - get
       - list
-      - update
       - watch
   - apiGroups:
-    - ""
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+      - update
+  - apiGroups:
+      - authorization.k8s.io
     resources:
-    - events
+      - subjectaccessreviews
     verbs:
-    - create
-    - patch
+      - create
 {{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -80,15 +104,7 @@ metadata:
   labels:
     {{- include "kyverno.cleanup-controller.labels" $ | nindent 4 }}
 rules:
-  {{- range . }}
-  - apiGroups:
-      {{- toYaml .apiGroups | nindent 6 }}
-    resources:
-      {{- toYaml .resources | nindent 6 }}
-    verbs:
-      - delete
-      - list
-  {{- end }}
-{{- end }}
+  {{- toYaml . | nindent 2 }}
 {{- end }}
 {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/templates/cleanup-controller/deployment.yaml b/charts/kyverno/templates/cleanup-controller/deployment.yaml
index fb0d2bea4a51..ddb80db49a27 100644
--- a/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml
@@ -4,13 +4,12 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
 spec:
-  {{- with .Values.cleanupController.replicas }}
-  replicas: {{ . }}
-  {{- end }}
+  replicas: {{ template "kyverno.deployment.replicas" .Values.cleanupController.replicas }}
+  revisionHistoryLimit: {{ .Values.cleanupController.revisionHistoryLimit }}
   {{- with .Values.cleanupController.updateStrategy }}
   strategy:
     {{- toYaml . | nindent 4 }}
@@ -22,20 +21,26 @@ spec:
     metadata:
       labels:
         {{- include "kyverno.cleanup-controller.labels" . | nindent 8 }}
+        {{- with .Values.cleanupController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.cleanupController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
     spec:
-      {{- with .Values.cleanupController.image.pullSecrets }}
-      imagePullSecrets: 
+      {{- with .Values.cleanupController.imagePullSecrets }}
+      imagePullSecrets:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
       {{- with .Values.cleanupController.podSecurityContext }}
       securityContext:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
-      {{- with .Values.cleanupController.nodeSelector }}
+      {{- with .Values.cleanupController.nodeSelector | default .Values.global.nodeSelector }}
       nodeSelector:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
-      {{- with .Values.cleanupController.tolerations }}
+      {{- with .Values.cleanupController.tolerations | default .Values.global.tolerations}}
       tolerations:
         {{- tpl (toYaml .) $ | nindent 8 }}
       {{- end }}
@@ -72,16 +77,26 @@ spec:
       serviceAccountName: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
       containers:
         - name: controller
-          image: {{ include "kyverno.cleanup-controller.image" (dict "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }}
+          image: {{ include "kyverno.cleanup-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }}
+          imagePullPolicy: {{ .Values.cleanupController.image.pullPolicy }}
           ports:
-          - containerPort: 9443
+          - containerPort: {{ .Values.cleanupController.server.port }}
             name: https
             protocol: TCP
-          - containerPort: 8000
+          - containerPort: {{ .Values.cleanupController.metering.port }}
             name: metrics
             protocol: TCP
+          {{ if .Values.cleanupController.profiling.enabled }}
+          - containerPort: {{ .Values.cleanupController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
           args:
-            - --loggingFormat={{ .Values.cleanupController.logging.format }}
+            - --caSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+            - --tlsSecretName={{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+            - --servicePort={{ .Values.cleanupController.service.port }}
+            - --cleanupServerPort={{ .Values.cleanupController.server.port }}
+            - --webhookServerPort={{ .Values.cleanupController.webhookServer.port }}
             {{- if .Values.cleanupController.tracing.enabled }}
             - --enableTracing
             - --tracingAddress={{ .Values.cleanupController.tracing.address }}
@@ -101,27 +116,52 @@ spec:
             - --transportCreds={{ . }}
             {{- end }}
             {{- end }}
-            {{- range .Values.cleanupController.extraArgs }}
-            - {{ . }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.cleanupController.featuresOverride)
+              "deferredLoading"
+              "dumpPayload"
+              "globalContext"
+              "logging"
+              "ttlController"
+              "protectManagedResources"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.cleanupController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+            {{ if .Values.cleanupController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.cleanupController.profiling.port }}
             {{- end }}
           env:
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.cleanup-controller.name" . }}
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
           - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
           - name: KYVERNO_POD_NAME
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
           - name: KYVERNO_NAMESPACE
             valueFrom:
               fieldRef:
                 fieldPath: metadata.namespace
           - name: KYVERNO_SVC
             value: {{ template "kyverno.cleanup-controller.name" . }}
+          {{- with (concat .Values.global.extraEnvVars .Values.cleanupController.extraEnvVars) }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
           {{- with .Values.cleanupController.resources }}
-          resources: {{ tpl (toYaml .) $ | nindent 12 }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
           {{- end }}
-          {{- if .Values.cleanupController.securityContext }}
-          securityContext: {{ include "kyverno.cleanup-controller.securityContext" . | nindent 12 }}
+          {{- with .Values.cleanupController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
           {{- end }}
           {{- with .Values.cleanupController.startupProbe }}
           startupProbe:
diff --git a/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml b/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
new file mode 100644
index 000000000000..e9e8da3524ca
--- /dev/null
+++ b/charts/kyverno/templates/cleanup-controller/networkpolicy.yaml
@@ -0,0 +1,33 @@
+{{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.networkPolicy.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.cleanupController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.cleanupController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: 9443 # webhook access
+        # Allow prometheus scrapes for metrics
+        {{- if .Values.cleanupController.metricsService.create }}
+        - protocol: TCP
+          port: {{ .Values.cleanupController.metricsService.port }}
+        {{- end }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
index 30b942c4e9c7..b640ad3073b8 100644
--- a/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
+++ b/charts/kyverno/templates/cleanup-controller/poddisruptionbudget.yaml
@@ -1,18 +1,14 @@
 {{- if .Values.cleanupController.enabled -}}
-{{- if (gt (int .Values.cleanupController.replicas) 1) -}}
-{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}}
-apiVersion: policy/v1
-{{- else -}}
-apiVersion: policy/v1beta1
-{{- end }}
+{{- if or .Values.cleanupController.podDisruptionBudget.enabled (gt (int .Values.cleanupController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ template "kyverno.cleanup-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
 spec:
-  {{- include "kyverno.cleanup-controller.podDisruptionBudget.spec" . | indent 2 }}
+  {{- include "kyverno.pdb.spec" .Values.cleanupController.podDisruptionBudget | nindent 2 }}
   selector:
     matchLabels:
       {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 6 }}
diff --git a/charts/kyverno/templates/cleanup-controller/role.yaml b/charts/kyverno/templates/cleanup-controller/role.yaml
index 4a90cbc4fc90..82db80d7ddd9 100644
--- a/charts/kyverno/templates/cleanup-controller/role.yaml
+++ b/charts/kyverno/templates/cleanup-controller/role.yaml
@@ -8,33 +8,52 @@ metadata:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
   namespace: {{ template "kyverno.namespace" . }}
 rules:
-- apiGroups:
-    - ''
-  resources:
-    - secrets
-  verbs:
-    - get
-    - list
-    - watch
-    - create
-    - update
-- apiGroups:
-    - ''
-  resources:
-    - configmaps
-  verbs:
-    - get
-    - list
-    - watch
-- apiGroups:
-    - coordination.k8s.io
-  resources:
-    - leases
-  verbs:
-    - create
-    - delete
-    - get
-    - patch
-    - update
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - create
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - delete
+      - get
+      - list
+      - update
+      - watch
+    resourceNames:
+      - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
+      - {{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - delete
+      - get
+      - patch
+      - update
+    resourceNames:
+      - kyverno-cleanup-controller
 {{- end -}}
 {{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
index d09739713636..2096f16238d0 100644
--- a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
+++ b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
@@ -12,8 +12,8 @@ roleRef:
   kind: Role
   name: {{ template "kyverno.cleanup-controller.roleName" . }}
 subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
+  - kind: ServiceAccount
+    name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/service.yaml b/charts/kyverno/templates/cleanup-controller/service.yaml
index 65b76735ea60..7d61b924c153 100644
--- a/charts/kyverno/templates/cleanup-controller/service.yaml
+++ b/charts/kyverno/templates/cleanup-controller/service.yaml
@@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -38,7 +39,7 @@ metadata:
 spec:
   ports:
   - port: {{ .Values.cleanupController.metricsService.port }}
-    targetPort: 8000
+    targetPort: {{ .Values.cleanupController.metering.port }}
     protocol: TCP
     name: metrics-port
     {{- if and (eq .Values.cleanupController.metricsService.type "NodePort") (not (empty .Values.cleanupController.metricsService.nodePort)) }}
@@ -48,4 +49,26 @@ spec:
     {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
   type: {{ .Values.cleanupController.metricsService.type }}
 {{- end -}}
+{{- if .Values.cleanupController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.cleanup-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.cleanupController.profiling.port }}
+    targetPort: {{ .Values.cleanupController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.cleanupController.profiling.serviceType "NodePort") (not (empty .Values.cleanupController.profiling.nodePort)) }}
+    nodePort: {{ .Values.cleanupController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.cleanup-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.cleanupController.profiling.serviceType }}
+{{- end -}}
 {{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
index 471b4219ed55..a20a186446f6 100644
--- a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
+++ b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
@@ -4,8 +4,12 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
+  {{- with .Values.cleanupController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml b/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
index 07f6ee55a653..e9f50e634748 100644
--- a/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
+++ b/charts/kyverno/templates/cleanup-controller/servicemonitor.yaml
@@ -12,7 +12,7 @@ metadata:
   labels:
     {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
     {{- with .Values.cleanupController.serviceMonitor.additionalLabels }}
-    {{- toYaml .Values.cleanupController.serviceMonitor.additionalLabels | nindent 4 }}
+    {{- toYaml . | nindent 4 }}
     {{- end }}
 spec:
   selector:
@@ -30,5 +30,13 @@ spec:
     tlsConfig:
       {{- toYaml .Values.cleanupController.serviceMonitor.tlsConfig | nindent 8 }}
     {{- end }}
+    {{- with .Values.cleanupController.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.cleanupController.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/kyverno/templates/clusterrole.yaml b/charts/kyverno/templates/clusterrole.yaml
deleted file mode 100644
index 6a817ebc6dc1..000000000000
--- a/charts/kyverno/templates/clusterrole.yaml
+++ /dev/null
@@ -1,188 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-aggregationRule:
-  clusterRoleSelectors:
-  - matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:userinfo
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - rbac.authorization.k8s.io
-  resources:
-    - roles
-    - clusterroles
-    - rolebindings
-    - clusterrolebindings
-  verbs:
-    - watch
-    - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:policies
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - kyverno.io
-  resources:
-    - policies
-    - policies/status
-    - clusterpolicies
-    - clusterpolicies/status
-    - generaterequests
-    - generaterequests/status
-    - updaterequests
-    - updaterequests/status
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
-- apiGroups:
-    - wgpolicyk8s.io
-  resources:
-    - policyreports
-    - policyreports/status
-    - clusterpolicyreports
-    - clusterpolicyreports/status
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:view
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:generate
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - networking.k8s.io
-    resources:
-      - ingresses
-      - ingressclasses
-      - networkpolicies
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ''
-    resources:
-      - namespaces
-      - configmaps
-      - secrets
-      - resourcequotas
-      - limitranges
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - rbac.authorization.k8s.io
-    resources:
-      - rolebindings
-      - roles
-    verbs:
-      - create
-      - update
-      - patch
-      - delete
-  {{- if .Values.generatecontrollerExtraResources }}
-  - apiGroups:
-      - '*'
-    resources:
-    {{- range .Values.generatecontrollerExtraResources }}
-      - {{ . }}
-    {{- end }}
-    verbs:
-      - create
-      - update
-      - delete
-  {{- end }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:events
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - ''
-  - events.k8s.io
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.fullname" . }}:webhook
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
-{{- end }}
diff --git a/charts/kyverno/templates/clusterrolebinding.yaml b/charts/kyverno/templates/clusterrolebinding.yaml
deleted file mode 100644
index c44341f9c1d5..000000000000
--- a/charts/kyverno/templates/clusterrolebinding.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-{{- if .Values.rbac.create -}}
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "kyverno.fullname" . }}
-subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end -}}
diff --git a/charts/kyverno/templates/config/_helpers.tpl b/charts/kyverno/templates/config/_helpers.tpl
new file mode 100644
index 000000000000..097aa451bc58
--- /dev/null
+++ b/charts/kyverno/templates/config/_helpers.tpl
@@ -0,0 +1,71 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.config.configMapName" -}}
+{{- if .Values.config.create -}}
+    {{ default (include "kyverno.fullname" .) .Values.config.name }}
+{{- else -}}
+    {{ required "A configmap name is required when `config.create` is set to `false`" .Values.config.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.metricsConfigMapName" -}}
+{{- if .Values.metricsConfig.create -}}
+    {{ default (printf "%s-metrics" (include "kyverno.fullname" .)) .Values.metricsConfig.name }}
+{{- else -}}
+    {{ required "A configmap name is required when `metricsConfig.create` is set to `false`" .Values.metricsConfig.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.config.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.config.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "config")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.config.resourceFilters" -}}
+{{- $resourceFilters := .Values.config.resourceFilters -}}
+{{- if .Values.config.excludeKyvernoNamespace -}}
+  {{- $resourceFilters = prepend .Values.config.resourceFilters (printf "[*/*,%s,*]" (include "kyverno.namespace" .)) -}}
+{{- end -}}
+{{- range $resourceExclude := .Values.config.resourceFiltersExclude -}}
+  {{- $resourceFilters = without $resourceFilters $resourceExclude -}}
+{{- end -}}
+{{- range $exclude := .Values.config.resourceFiltersExcludeNamespaces -}}
+  {{- range $filter := $resourceFilters -}}
+    {{- if (contains (printf ",%s," $exclude) $filter) -}}
+      {{- $resourceFilters = without $resourceFilters $filter -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- $resourceFilters = concat $resourceFilters .Values.config.resourceFiltersInclude -}}
+{{- range $include := .Values.config.resourceFiltersIncludeNamespaces -}}
+  {{- $resourceFilters = append $resourceFilters (printf "[*/*,%s,*]" $include) -}}
+{{- end -}}
+{{- range $resourceFilter := $resourceFilters }}
+{{ tpl $resourceFilter $ }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.config.webhooks" -}}
+{{- $excludeDefault := dict "key" "kubernetes.io/metadata.name" "operator" "NotIn" "values" (list (include "kyverno.namespace" .)) }}
+{{- $newWebhook := list }}
+{{- range $webhook := .Values.config.webhooks }}
+  {{- $namespaceSelector := default dict $webhook.namespaceSelector }}
+  {{- $matchExpressions := default list $namespaceSelector.matchExpressions }}
+  {{- $newNamespaceSelector := dict "matchLabels" $namespaceSelector.matchLabels "matchExpressions" (append $matchExpressions $excludeDefault) }}
+  {{- $newWebhook = append $newWebhook (merge (omit $webhook "namespaceSelector") (dict "namespaceSelector" $newNamespaceSelector)) }}
+{{- end }}
+{{- $newWebhook | toJson }}
+{{- end -}}
+
+{{- define "kyverno.config.imagePullSecret" -}}
+{{- printf "{\"auths\":{\"%s\":{\"auth\":\"%s\"}}}" .registry (printf "%s:%s" .username .password | b64enc) | b64enc }}
+{{- end -}}
diff --git a/charts/kyverno/templates/config/configmap.yaml b/charts/kyverno/templates/config/configmap.yaml
new file mode 100644
index 000000000000..7d6a91678c77
--- /dev/null
+++ b/charts/kyverno/templates/config/configmap.yaml
@@ -0,0 +1,54 @@
+{{- if .Values.config.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kyverno.config.configMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.config.labels" . | nindent 4 }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.config.preserve }}
+    helm.sh/resource-policy: "keep"
+    {{- end }}
+data:
+  enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
+  {{- with .Values.config.defaultRegistry }}
+  defaultRegistry: {{ . | quote }}
+  {{- end }}
+  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
+  {{- with .Values.config.excludeGroups }}
+  excludeGroups: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeUsernames }}
+  excludeUsernames: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeRoles }}
+  excludeRoles: {{ join "," . | quote }}
+  {{- end -}}
+  {{- with .Values.config.excludeClusterRoles }}
+  excludeClusterRoles: {{ join "," . | quote }}
+  {{- end -}}
+  {{- if .Values.config.resourceFilters }}
+  resourceFilters: >-
+    {{- include "kyverno.config.resourceFilters" . | trim | nindent 4 }}
+  {{- end -}}
+  {{- if and .Values.config.webhooks .Values.config.excludeKyvernoNamespace }}
+  webhooks: {{ include "kyverno.config.webhooks" . | quote }}
+  {{- else if .Values.config.webhooks }}
+  webhooks: {{ .Values.config.webhooks | toJson | quote }}
+  {{- else if .Values.config.excludeKyvernoNamespace }}
+  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
+  {{- end -}}
+  {{- with .Values.config.webhookAnnotations }}
+  webhookAnnotations: {{ toJson . | quote }}
+  {{- end }}
+  {{- with .Values.config.webhookLabels }}
+  webhookLabels: {{ toJson . | quote }}
+  {{- end }}
+  {{- with .Values.config.matchConditions }}
+  matchConditions: {{ toJson . | quote }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/config/imagepullsecret.yaml b/charts/kyverno/templates/config/imagepullsecret.yaml
new file mode 100644
index 000000000000..19ce98ce44bb
--- /dev/null
+++ b/charts/kyverno/templates/config/imagepullsecret.yaml
@@ -0,0 +1,13 @@
+{{ range $name, $secret := .Values.imagePullSecrets }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $name }}
+  namespace: {{ template "kyverno.namespace" $ }}
+  labels:
+    {{- include "kyverno.config.labels" $ | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ template "kyverno.config.imagePullSecret" $secret }}
+{{ end }}
diff --git a/charts/kyverno/templates/config/metricsconfigmap.yaml b/charts/kyverno/templates/config/metricsconfigmap.yaml
new file mode 100644
index 000000000000..3273946e1430
--- /dev/null
+++ b/charts/kyverno/templates/config/metricsconfigmap.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.metricsConfig.create -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "kyverno.config.metricsConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.config.labels" . | nindent 4 }}
+  {{- with .Values.metricsConfig.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+data:
+  {{- with .Values.metricsConfig.namespaces }}
+  namespaces: {{ toJson . | quote }}
+  {{- end }}
+  {{- with .Values.metricsConfig.metricsRefreshInterval }}
+  metricsRefreshInterval: {{ . }}
+  {{- end }}
+  {{- with .Values.metricsConfig.metricsExposure }}
+  metricsExposure: {{ toJson . | quote }}
+  {{- end }}
+  {{- with .Values.metricsConfig.bucketBoundaries }}
+  bucketBoundaries: {{ join ", " . | quote }}
+  {{- end }}
+{{- end -}}
diff --git a/charts/kyverno/templates/configmap.yaml b/charts/kyverno/templates/configmap.yaml
deleted file mode 100644
index 10c7fd2e08d7..000000000000
--- a/charts/kyverno/templates/configmap.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-{{- if (not .Values.config.existingConfig) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- with .Values.config.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ template "kyverno.configMapName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-data:
-  {{- if .Values.config.defaultRegistry }}
-  defaultRegistry: {{ .Values.config.defaultRegistry | quote }}
-  {{- end }}
-  {{- if .Values.config.enableDefaultRegistryMutation }}
-  enableDefaultRegistryMutation: {{ .Values.config.enableDefaultRegistryMutation | quote }}
-  {{- end }}
-  # resource types to be skipped by kyverno policy engine
-  {{- if .Values.config.resourceFilters }}
-  resourceFilters: {{ include "kyverno.resourceFilters" . | quote }}
-  {{- end -}}
-  {{- if .Values.config.excludeGroupRole }}
-  excludeGroupRole: {{ join "," .Values.config.excludeGroupRole | quote }}
-  {{- end -}}
-  {{- if .Values.config.excludeUsername }}
-  excludeUsername: {{ join "," .Values.config.excludeUsername | quote }}
-  {{- end -}}
-  {{- if and .Values.config.webhooks .Values.excludeKyvernoNamespace }}
-  webhooks: {{ include "kyverno.webhooks" . | quote }}
-  {{- else if .Values.config.webhooks }}
-  webhooks: {{ .Values.config.webhooks | toJson | quote }}
-  {{- else if .Values.excludeKyvernoNamespace }}
-  webhooks: '[{"namespaceSelector": {"matchExpressions": [{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["{{ include "kyverno.namespace" . }}"]}]}}]'
-  {{- end -}}
-  {{- if .Values.config.generateSuccessEvents }}
-  generateSuccessEvents: {{ .Values.config.generateSuccessEvents | quote }}
-  {{- end -}}
-{{- end -}}
diff --git a/charts/kyverno/templates/crds.yaml b/charts/kyverno/templates/crds.yaml
deleted file mode 100644
index 849e267c8da6..000000000000
--- a/charts/kyverno/templates/crds.yaml
+++ /dev/null
@@ -1,31421 +0,0 @@
-{{- if .Values.installCRDs }}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: admissionreports.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: AdmissionReport
-    listKind: AdmissionReportList
-    plural: admissionreports
-    shortNames:
-    - admr
-    singular: admissionreport
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.ownerReferences[0].apiVersion
-      name: ApiVersion
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].name
-      name: Subject
-      priority: 1
-      type: string
-    - jsonPath: .spec.summary.pass
-      name: Pass
-      type: integer
-    - jsonPath: .spec.summary.fail
-      name: Fail
-      type: integer
-    - jsonPath: .spec.summary.warn
-      name: Warn
-      type: integer
-    - jsonPath: .spec.summary.error
-      name: Error
-      type: integer
-    - jsonPath: .spec.summary.skip
-      name: Skip
-      type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
-      name: Hash
-      priority: 1
-      type: string
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
-      name: AGGREGATE
-      priority: 1
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: AdmissionReport is the Schema for the AdmissionReports API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              owner:
-                description: Owner is a reference to the report owner (e.g. a Deployment,
-                  Namespace, or Node)
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  blockOwnerDeletion:
-                    description: If true, AND if the owner has the "foregroundDeletion"
-                      finalizer, then the owner cannot be deleted from the key-value
-                      store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
-                      for how the garbage collector interacts with this field and
-                      enforces the foreground deletion. Defaults to false. To set
-                      this field, a user needs "delete" permission of the owner, otherwise
-                      422 (Unprocessable Entity) will be returned.
-                    type: boolean
-                  controller:
-                    description: If true, this reference points to the managing controller.
-                    type: boolean
-                  kind:
-                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                    type: string
-                  name:
-                    description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
-                    type: string
-                  uid:
-                    description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
-                    type: string
-                required:
-                - apiVersion
-                - kind
-                - name
-                - uid
-                type: object
-                x-kubernetes-map-type: atomic
-              results:
-                description: PolicyReportResult provides result details
-                items:
-                  description: PolicyReportResult provides the result for an individual
-                    policy
-                  properties:
-                    category:
-                      description: Category indicates policy category
-                      type: string
-                    message:
-                      description: Description is a short user friendly message for
-                        the policy rule
-                      type: string
-                    policy:
-                      description: Policy is the name or identifier of the policy
-                      type: string
-                    properties:
-                      additionalProperties:
-                        type: string
-                      description: Properties provides additional information for
-                        the policy rule
-                      type: object
-                    resourceSelector:
-                      description: SubjectSelector is an optional label selector for
-                        checked Kubernetes resources. For example, a policy result
-                        may apply to all pods that match a label. Either a Subject
-                        or a SubjectSelector can be specified. If neither are provided,
-                        the result is assumed to be for the policy report scope.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    resources:
-                      description: Subjects is an optional reference to the checked
-                        Kubernetes resources
-                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
-                        properties:
-                          apiVersion:
-                            description: API version of the referent.
-                            type: string
-                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
-                            type: string
-                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                            type: string
-                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                            type: string
-                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                            type: string
-                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                            type: string
-                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                            type: string
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      type: array
-                    result:
-                      description: Result indicates the outcome of the policy rule
-                        execution
-                      enum:
-                      - pass
-                      - fail
-                      - warn
-                      - error
-                      - skip
-                      type: string
-                    rule:
-                      description: Rule is the name or identifier of the rule within
-                        the policy
-                      type: string
-                    scored:
-                      description: Scored indicates if this result is scored
-                      type: boolean
-                    severity:
-                      description: Severity indicates policy check result criticality
-                      enum:
-                      - critical
-                      - high
-                      - low
-                      - medium
-                      - info
-                      type: string
-                    source:
-                      description: Source is an identifier for the policy engine that
-                        manages this report
-                      type: string
-                    timestamp:
-                      description: Timestamp indicates the time the result was found
-                      properties:
-                        nanos:
-                          description: Non-negative fractions of a second at nanosecond
-                            resolution. Negative second values with fractions must
-                            still have non-negative nanos values that count forward
-                            in time. Must be from 0 to 999,999,999 inclusive. This
-                            field may be limited in precision depending on context.
-                          format: int32
-                          type: integer
-                        seconds:
-                          description: Represents seconds of UTC time since Unix epoch
-                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
-                            to 9999-12-31T23:59:59Z inclusive.
-                          format: int64
-                          type: integer
-                      required:
-                      - nanos
-                      - seconds
-                      type: object
-                  required:
-                  - policy
-                  type: object
-                type: array
-              summary:
-                description: PolicyReportSummary provides a summary of results
-                properties:
-                  error:
-                    description: Error provides the count of policies that could not
-                      be evaluated
-                    type: integer
-                  fail:
-                    description: Fail provides the count of policies whose requirements
-                      were not met
-                    type: integer
-                  pass:
-                    description: Pass provides the count of policies whose requirements
-                      were met
-                    type: integer
-                  skip:
-                    description: Skip indicates the count of policies that were not
-                      selected for evaluation
-                    type: integer
-                  warn:
-                    description: Warn provides the count of non-scored policies whose
-                      requirements were not met
-                    type: integer
-                type: object
-            required:
-            - owner
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: backgroundscanreports.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: BackgroundScanReport
-    listKind: BackgroundScanReportList
-    plural: backgroundscanreports
-    shortNames:
-    - bgscanr
-    singular: backgroundscanreport
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.ownerReferences[0].apiVersion
-      name: ApiVersion
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].name
-      name: Subject
-      priority: 1
-      type: string
-    - jsonPath: .spec.summary.pass
-      name: Pass
-      type: integer
-    - jsonPath: .spec.summary.fail
-      name: Fail
-      type: integer
-    - jsonPath: .spec.summary.warn
-      name: Warn
-      type: integer
-    - jsonPath: .spec.summary.error
-      name: Error
-      type: integer
-    - jsonPath: .spec.summary.skip
-      name: Skip
-      type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
-      name: Hash
-      priority: 1
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: BackgroundScanReport is the Schema for the BackgroundScanReports
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              results:
-                description: PolicyReportResult provides result details
-                items:
-                  description: PolicyReportResult provides the result for an individual
-                    policy
-                  properties:
-                    category:
-                      description: Category indicates policy category
-                      type: string
-                    message:
-                      description: Description is a short user friendly message for
-                        the policy rule
-                      type: string
-                    policy:
-                      description: Policy is the name or identifier of the policy
-                      type: string
-                    properties:
-                      additionalProperties:
-                        type: string
-                      description: Properties provides additional information for
-                        the policy rule
-                      type: object
-                    resourceSelector:
-                      description: SubjectSelector is an optional label selector for
-                        checked Kubernetes resources. For example, a policy result
-                        may apply to all pods that match a label. Either a Subject
-                        or a SubjectSelector can be specified. If neither are provided,
-                        the result is assumed to be for the policy report scope.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    resources:
-                      description: Subjects is an optional reference to the checked
-                        Kubernetes resources
-                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
-                        properties:
-                          apiVersion:
-                            description: API version of the referent.
-                            type: string
-                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
-                            type: string
-                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                            type: string
-                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                            type: string
-                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                            type: string
-                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                            type: string
-                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                            type: string
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      type: array
-                    result:
-                      description: Result indicates the outcome of the policy rule
-                        execution
-                      enum:
-                      - pass
-                      - fail
-                      - warn
-                      - error
-                      - skip
-                      type: string
-                    rule:
-                      description: Rule is the name or identifier of the rule within
-                        the policy
-                      type: string
-                    scored:
-                      description: Scored indicates if this result is scored
-                      type: boolean
-                    severity:
-                      description: Severity indicates policy check result criticality
-                      enum:
-                      - critical
-                      - high
-                      - low
-                      - medium
-                      - info
-                      type: string
-                    source:
-                      description: Source is an identifier for the policy engine that
-                        manages this report
-                      type: string
-                    timestamp:
-                      description: Timestamp indicates the time the result was found
-                      properties:
-                        nanos:
-                          description: Non-negative fractions of a second at nanosecond
-                            resolution. Negative second values with fractions must
-                            still have non-negative nanos values that count forward
-                            in time. Must be from 0 to 999,999,999 inclusive. This
-                            field may be limited in precision depending on context.
-                          format: int32
-                          type: integer
-                        seconds:
-                          description: Represents seconds of UTC time since Unix epoch
-                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
-                            to 9999-12-31T23:59:59Z inclusive.
-                          format: int64
-                          type: integer
-                      required:
-                      - nanos
-                      - seconds
-                      type: object
-                  required:
-                  - policy
-                  type: object
-                type: array
-              summary:
-                description: PolicyReportSummary provides a summary of results
-                properties:
-                  error:
-                    description: Error provides the count of policies that could not
-                      be evaluated
-                    type: integer
-                  fail:
-                    description: Fail provides the count of policies whose requirements
-                      were not met
-                    type: integer
-                  pass:
-                    description: Pass provides the count of policies whose requirements
-                      were met
-                    type: integer
-                  skip:
-                    description: Skip indicates the count of policies that were not
-                      selected for evaluation
-                    type: integer
-                  warn:
-                    description: Warn provides the count of non-scored policies whose
-                      requirements were not met
-                    type: integer
-                type: object
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: cleanuppolicies.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: CleanupPolicy
-    listKind: CleanupPolicyList
-    plural: cleanuppolicies
-    shortNames:
-    - cleanpol
-    singular: cleanuppolicy
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.schedule
-      name: Schedule
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v2alpha1
-    schema:
-      openAPIV3Schema:
-        description: CleanupPolicy defines a rule for resource cleanup.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec declares policy behaviors.
-            properties:
-              conditions:
-                description: Conditions defines the conditions used to select the
-                  resources which will be cleaned up.
-                properties:
-                  all:
-                    description: AllConditions enable variable-based conditional rule
-                      execution. This is useful for finer control of when an rule
-                      is applied. A condition can reference object data using JMESPath
-                      notation. Here, all of the conditions need to pass.
-                    items:
-                      properties:
-                        key:
-                          description: Key is the context entry (using JMESPath) for
-                            conditional rule evaluation.
-                          x-kubernetes-preserve-unknown-fields: true
-                        operator:
-                          description: 'Operator is the conditional operation to perform.
-                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
-                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
-                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                          enum:
-                          - Equals
-                          - NotEquals
-                          - AnyIn
-                          - AllIn
-                          - AnyNotIn
-                          - AllNotIn
-                          - GreaterThanOrEquals
-                          - GreaterThan
-                          - LessThanOrEquals
-                          - LessThan
-                          - DurationGreaterThanOrEquals
-                          - DurationGreaterThan
-                          - DurationLessThanOrEquals
-                          - DurationLessThan
-                          type: string
-                        value:
-                          description: Value is the conditional value, or set of values.
-                            The values can be fixed set or can be variables declared
-                            using JMESPath.
-                          x-kubernetes-preserve-unknown-fields: true
-                      type: object
-                    type: array
-                  any:
-                    description: AnyConditions enable variable-based conditional rule
-                      execution. This is useful for finer control of when an rule
-                      is applied. A condition can reference object data using JMESPath
-                      notation. Here, at least one of the conditions need to pass.
-                    items:
-                      properties:
-                        key:
-                          description: Key is the context entry (using JMESPath) for
-                            conditional rule evaluation.
-                          x-kubernetes-preserve-unknown-fields: true
-                        operator:
-                          description: 'Operator is the conditional operation to perform.
-                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
-                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
-                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                          enum:
-                          - Equals
-                          - NotEquals
-                          - AnyIn
-                          - AllIn
-                          - AnyNotIn
-                          - AllNotIn
-                          - GreaterThanOrEquals
-                          - GreaterThan
-                          - LessThanOrEquals
-                          - LessThan
-                          - DurationGreaterThanOrEquals
-                          - DurationGreaterThan
-                          - DurationLessThanOrEquals
-                          - DurationLessThan
-                          type: string
-                        value:
-                          description: Value is the conditional value, or set of values.
-                            The values can be fixed set or can be variables declared
-                            using JMESPath.
-                          x-kubernetes-preserve-unknown-fields: true
-                      type: object
-                    type: array
-                type: object
-              exclude:
-                description: ExcludeResources defines when cleanuppolicy should not
-                  be applied. The exclude criteria can include resource information
-                  (e.g. kind, name, namespace, labels) and admission review request
-                  information like the name or role.
-                properties:
-                  all:
-                    description: All allows specifying resources which will be ANDed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                  any:
-                    description: Any allows specifying resources which will be ORed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              match:
-                description: MatchResources defines when cleanuppolicy should be applied.
-                  The match criteria can include resource information (e.g. kind,
-                  name, namespace, labels) and admission review request information
-                  like the user name or role. At least one kind is required.
-                properties:
-                  all:
-                    description: All allows specifying resources which will be ANDed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                  any:
-                    description: Any allows specifying resources which will be ORed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              schedule:
-                description: The schedule in Cron format
-                type: string
-            required:
-            - schedule
-            type: object
-          status:
-            description: Status contains policy runtime data.
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: clusteradmissionreports.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: ClusterAdmissionReport
-    listKind: ClusterAdmissionReportList
-    plural: clusteradmissionreports
-    shortNames:
-    - cadmr
-    singular: clusteradmissionreport
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.ownerReferences[0].apiVersion
-      name: ApiVersion
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].name
-      name: Subject
-      priority: 1
-      type: string
-    - jsonPath: .spec.summary.pass
-      name: Pass
-      type: integer
-    - jsonPath: .spec.summary.fail
-      name: Fail
-      type: integer
-    - jsonPath: .spec.summary.warn
-      name: Warn
-      type: integer
-    - jsonPath: .spec.summary.error
-      name: Error
-      type: integer
-    - jsonPath: .spec.summary.skip
-      name: Skip
-      type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
-      name: Hash
-      priority: 1
-      type: string
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/report\.aggregate']
-      name: AGGREGATE
-      priority: 1
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: ClusterAdmissionReport is the Schema for the ClusterAdmissionReports
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              owner:
-                description: Owner is a reference to the report owner (e.g. a Deployment,
-                  Namespace, or Node)
-                properties:
-                  apiVersion:
-                    description: API version of the referent.
-                    type: string
-                  blockOwnerDeletion:
-                    description: If true, AND if the owner has the "foregroundDeletion"
-                      finalizer, then the owner cannot be deleted from the key-value
-                      store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion
-                      for how the garbage collector interacts with this field and
-                      enforces the foreground deletion. Defaults to false. To set
-                      this field, a user needs "delete" permission of the owner, otherwise
-                      422 (Unprocessable Entity) will be returned.
-                    type: boolean
-                  controller:
-                    description: If true, this reference points to the managing controller.
-                    type: boolean
-                  kind:
-                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                    type: string
-                  name:
-                    description: 'Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names'
-                    type: string
-                  uid:
-                    description: 'UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids'
-                    type: string
-                required:
-                - apiVersion
-                - kind
-                - name
-                - uid
-                type: object
-                x-kubernetes-map-type: atomic
-              results:
-                description: PolicyReportResult provides result details
-                items:
-                  description: PolicyReportResult provides the result for an individual
-                    policy
-                  properties:
-                    category:
-                      description: Category indicates policy category
-                      type: string
-                    message:
-                      description: Description is a short user friendly message for
-                        the policy rule
-                      type: string
-                    policy:
-                      description: Policy is the name or identifier of the policy
-                      type: string
-                    properties:
-                      additionalProperties:
-                        type: string
-                      description: Properties provides additional information for
-                        the policy rule
-                      type: object
-                    resourceSelector:
-                      description: SubjectSelector is an optional label selector for
-                        checked Kubernetes resources. For example, a policy result
-                        may apply to all pods that match a label. Either a Subject
-                        or a SubjectSelector can be specified. If neither are provided,
-                        the result is assumed to be for the policy report scope.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    resources:
-                      description: Subjects is an optional reference to the checked
-                        Kubernetes resources
-                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
-                        properties:
-                          apiVersion:
-                            description: API version of the referent.
-                            type: string
-                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
-                            type: string
-                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                            type: string
-                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                            type: string
-                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                            type: string
-                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                            type: string
-                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                            type: string
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      type: array
-                    result:
-                      description: Result indicates the outcome of the policy rule
-                        execution
-                      enum:
-                      - pass
-                      - fail
-                      - warn
-                      - error
-                      - skip
-                      type: string
-                    rule:
-                      description: Rule is the name or identifier of the rule within
-                        the policy
-                      type: string
-                    scored:
-                      description: Scored indicates if this result is scored
-                      type: boolean
-                    severity:
-                      description: Severity indicates policy check result criticality
-                      enum:
-                      - critical
-                      - high
-                      - low
-                      - medium
-                      - info
-                      type: string
-                    source:
-                      description: Source is an identifier for the policy engine that
-                        manages this report
-                      type: string
-                    timestamp:
-                      description: Timestamp indicates the time the result was found
-                      properties:
-                        nanos:
-                          description: Non-negative fractions of a second at nanosecond
-                            resolution. Negative second values with fractions must
-                            still have non-negative nanos values that count forward
-                            in time. Must be from 0 to 999,999,999 inclusive. This
-                            field may be limited in precision depending on context.
-                          format: int32
-                          type: integer
-                        seconds:
-                          description: Represents seconds of UTC time since Unix epoch
-                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
-                            to 9999-12-31T23:59:59Z inclusive.
-                          format: int64
-                          type: integer
-                      required:
-                      - nanos
-                      - seconds
-                      type: object
-                  required:
-                  - policy
-                  type: object
-                type: array
-              summary:
-                description: PolicyReportSummary provides a summary of results
-                properties:
-                  error:
-                    description: Error provides the count of policies that could not
-                      be evaluated
-                    type: integer
-                  fail:
-                    description: Fail provides the count of policies whose requirements
-                      were not met
-                    type: integer
-                  pass:
-                    description: Pass provides the count of policies whose requirements
-                      were met
-                    type: integer
-                  skip:
-                    description: Skip indicates the count of policies that were not
-                      selected for evaluation
-                    type: integer
-                  warn:
-                    description: Warn provides the count of non-scored policies whose
-                      requirements were not met
-                    type: integer
-                type: object
-            required:
-            - owner
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: clusterbackgroundscanreports.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: ClusterBackgroundScanReport
-    listKind: ClusterBackgroundScanReportList
-    plural: clusterbackgroundscanreports
-    shortNames:
-    - cbgscanr
-    singular: clusterbackgroundscanreport
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .metadata.ownerReferences[0].apiVersion
-      name: ApiVersion
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .metadata.ownerReferences[0].name
-      name: Subject
-      priority: 1
-      type: string
-    - jsonPath: .spec.summary.pass
-      name: Pass
-      type: integer
-    - jsonPath: .spec.summary.fail
-      name: Fail
-      type: integer
-    - jsonPath: .spec.summary.warn
-      name: Warn
-      type: integer
-    - jsonPath: .spec.summary.error
-      name: Error
-      type: integer
-    - jsonPath: .spec.summary.skip
-      name: Skip
-      type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .metadata.labels['audit\.kyverno\.io/resource\.hash']
-      name: Hash
-      priority: 1
-      type: string
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: ClusterBackgroundScanReport is the Schema for the ClusterBackgroundScanReports
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            properties:
-              results:
-                description: PolicyReportResult provides result details
-                items:
-                  description: PolicyReportResult provides the result for an individual
-                    policy
-                  properties:
-                    category:
-                      description: Category indicates policy category
-                      type: string
-                    message:
-                      description: Description is a short user friendly message for
-                        the policy rule
-                      type: string
-                    policy:
-                      description: Policy is the name or identifier of the policy
-                      type: string
-                    properties:
-                      additionalProperties:
-                        type: string
-                      description: Properties provides additional information for
-                        the policy rule
-                      type: object
-                    resourceSelector:
-                      description: SubjectSelector is an optional label selector for
-                        checked Kubernetes resources. For example, a policy result
-                        may apply to all pods that match a label. Either a Subject
-                        or a SubjectSelector can be specified. If neither are provided,
-                        the result is assumed to be for the policy report scope.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    resources:
-                      description: Subjects is an optional reference to the checked
-                        Kubernetes resources
-                      items:
-                        description: "ObjectReference contains enough information
-                          to let you inspect or modify the referred object. --- New
-                          uses of this type are discouraged because of difficulty
-                          describing its usage when embedded in APIs. 1. Ignored fields.
-                          \ It includes many fields which are not generally honored.
-                          \ For instance, ResourceVersion and FieldPath are both very
-                          rarely valid in actual usage. 2. Invalid usage help.  It
-                          is impossible to add specific help for individual usage.
-                          \ In most embedded usages, there are particular restrictions
-                          like, \"must refer only to types A and B\" or \"UID not
-                          honored\" or \"name must be restricted\". Those cannot be
-                          well described when embedded. 3. Inconsistent validation.
-                          \ Because the usages are different, the validation rules
-                          are different by usage, which makes it hard for users to
-                          predict what will happen. 4. The fields are both imprecise
-                          and overly precise.  Kind is not a precise mapping to a
-                          URL. This can produce ambiguity during interpretation and
-                          require a REST mapping.  In most cases, the dependency is
-                          on the group,resource tuple and the version of the actual
-                          struct is irrelevant. 5. We cannot easily change it.  Because
-                          this type is embedded in many locations, updates to this
-                          type will affect numerous schemas.  Don't make new APIs
-                          embed an underspecified API type they do not control. \n
-                          Instead of using this type, create a locally provided and
-                          used type that is well-focused on your reference. For example,
-                          ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                          ."
-                        properties:
-                          apiVersion:
-                            description: API version of the referent.
-                            type: string
-                          fieldPath:
-                            description: 'If referring to a piece of an object instead
-                              of an entire object, this string should contain a valid
-                              JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                              For example, if the object reference is to a container
-                              within a pod, this would take on a value like: "spec.containers{name}"
-                              (where "name" refers to the name of the container that
-                              triggered the event) or if no container name is specified
-                              "spec.containers[2]" (container with index 2 in this
-                              pod). This syntax is chosen only to have some well-defined
-                              way of referencing a part of an object. TODO: this design
-                              is not final and this field is subject to change in
-                              the future.'
-                            type: string
-                          kind:
-                            description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                            type: string
-                          name:
-                            description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                            type: string
-                          namespace:
-                            description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                            type: string
-                          resourceVersion:
-                            description: 'Specific resourceVersion to which this reference
-                              is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                            type: string
-                          uid:
-                            description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                            type: string
-                        type: object
-                        x-kubernetes-map-type: atomic
-                      type: array
-                    result:
-                      description: Result indicates the outcome of the policy rule
-                        execution
-                      enum:
-                      - pass
-                      - fail
-                      - warn
-                      - error
-                      - skip
-                      type: string
-                    rule:
-                      description: Rule is the name or identifier of the rule within
-                        the policy
-                      type: string
-                    scored:
-                      description: Scored indicates if this result is scored
-                      type: boolean
-                    severity:
-                      description: Severity indicates policy check result criticality
-                      enum:
-                      - critical
-                      - high
-                      - low
-                      - medium
-                      - info
-                      type: string
-                    source:
-                      description: Source is an identifier for the policy engine that
-                        manages this report
-                      type: string
-                    timestamp:
-                      description: Timestamp indicates the time the result was found
-                      properties:
-                        nanos:
-                          description: Non-negative fractions of a second at nanosecond
-                            resolution. Negative second values with fractions must
-                            still have non-negative nanos values that count forward
-                            in time. Must be from 0 to 999,999,999 inclusive. This
-                            field may be limited in precision depending on context.
-                          format: int32
-                          type: integer
-                        seconds:
-                          description: Represents seconds of UTC time since Unix epoch
-                            1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z
-                            to 9999-12-31T23:59:59Z inclusive.
-                          format: int64
-                          type: integer
-                      required:
-                      - nanos
-                      - seconds
-                      type: object
-                  required:
-                  - policy
-                  type: object
-                type: array
-              summary:
-                description: PolicyReportSummary provides a summary of results
-                properties:
-                  error:
-                    description: Error provides the count of policies that could not
-                      be evaluated
-                    type: integer
-                  fail:
-                    description: Fail provides the count of policies whose requirements
-                      were not met
-                    type: integer
-                  pass:
-                    description: Pass provides the count of policies whose requirements
-                      were met
-                    type: integer
-                  skip:
-                    description: Skip indicates the count of policies that were not
-                      selected for evaluation
-                    type: integer
-                  warn:
-                    description: Warn provides the count of non-scored policies whose
-                      requirements were not met
-                    type: integer
-                type: object
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: clustercleanuppolicies.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: ClusterCleanupPolicy
-    listKind: ClusterCleanupPolicyList
-    plural: clustercleanuppolicies
-    shortNames:
-    - ccleanpol
-    singular: clustercleanuppolicy
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.schedule
-      name: Schedule
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v2alpha1
-    schema:
-      openAPIV3Schema:
-        description: ClusterCleanupPolicy defines rule for resource cleanup.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec declares policy behaviors.
-            properties:
-              conditions:
-                description: Conditions defines the conditions used to select the
-                  resources which will be cleaned up.
-                properties:
-                  all:
-                    description: AllConditions enable variable-based conditional rule
-                      execution. This is useful for finer control of when an rule
-                      is applied. A condition can reference object data using JMESPath
-                      notation. Here, all of the conditions need to pass.
-                    items:
-                      properties:
-                        key:
-                          description: Key is the context entry (using JMESPath) for
-                            conditional rule evaluation.
-                          x-kubernetes-preserve-unknown-fields: true
-                        operator:
-                          description: 'Operator is the conditional operation to perform.
-                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
-                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
-                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                          enum:
-                          - Equals
-                          - NotEquals
-                          - AnyIn
-                          - AllIn
-                          - AnyNotIn
-                          - AllNotIn
-                          - GreaterThanOrEquals
-                          - GreaterThan
-                          - LessThanOrEquals
-                          - LessThan
-                          - DurationGreaterThanOrEquals
-                          - DurationGreaterThan
-                          - DurationLessThanOrEquals
-                          - DurationLessThan
-                          type: string
-                        value:
-                          description: Value is the conditional value, or set of values.
-                            The values can be fixed set or can be variables declared
-                            using JMESPath.
-                          x-kubernetes-preserve-unknown-fields: true
-                      type: object
-                    type: array
-                  any:
-                    description: AnyConditions enable variable-based conditional rule
-                      execution. This is useful for finer control of when an rule
-                      is applied. A condition can reference object data using JMESPath
-                      notation. Here, at least one of the conditions need to pass.
-                    items:
-                      properties:
-                        key:
-                          description: Key is the context entry (using JMESPath) for
-                            conditional rule evaluation.
-                          x-kubernetes-preserve-unknown-fields: true
-                        operator:
-                          description: 'Operator is the conditional operation to perform.
-                            Valid operators are: Equals, NotEquals, In, AnyIn, AllIn,
-                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan,
-                            LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                            DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                          enum:
-                          - Equals
-                          - NotEquals
-                          - AnyIn
-                          - AllIn
-                          - AnyNotIn
-                          - AllNotIn
-                          - GreaterThanOrEquals
-                          - GreaterThan
-                          - LessThanOrEquals
-                          - LessThan
-                          - DurationGreaterThanOrEquals
-                          - DurationGreaterThan
-                          - DurationLessThanOrEquals
-                          - DurationLessThan
-                          type: string
-                        value:
-                          description: Value is the conditional value, or set of values.
-                            The values can be fixed set or can be variables declared
-                            using JMESPath.
-                          x-kubernetes-preserve-unknown-fields: true
-                      type: object
-                    type: array
-                type: object
-              exclude:
-                description: ExcludeResources defines when cleanuppolicy should not
-                  be applied. The exclude criteria can include resource information
-                  (e.g. kind, name, namespace, labels) and admission review request
-                  information like the name or role.
-                properties:
-                  all:
-                    description: All allows specifying resources which will be ANDed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                  any:
-                    description: Any allows specifying resources which will be ORed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              match:
-                description: MatchResources defines when cleanuppolicy should be applied.
-                  The match criteria can include resource information (e.g. kind,
-                  name, namespace, labels) and admission review request information
-                  like the user name or role. At least one kind is required.
-                properties:
-                  all:
-                    description: All allows specifying resources which will be ANDed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                  any:
-                    description: Any allows specifying resources which will be ORed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              schedule:
-                description: The schedule in Cron format
-                type: string
-            required:
-            - schedule
-            type: object
-          status:
-            description: Status contains policy runtime data.
-            properties:
-              conditions:
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: clusterpolicies.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: ClusterPolicy
-    listKind: ClusterPolicyList
-    plural: clusterpolicies
-    shortNames:
-    - cpol
-    singular: clusterpolicy
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.background
-      name: Background
-      type: boolean
-    - jsonPath: .spec.validationFailureAction
-      name: Validate Action
-      type: string
-    - jsonPath: .spec.failurePolicy
-      name: Failure Policy
-      priority: 1
-      type: string
-    - jsonPath: .status.ready
-      name: Ready
-      type: boolean
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .status.rulecount.validate
-      name: Validate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.mutate
-      name: Mutate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.generate
-      name: Generate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.verifyimages
-      name: Verifyimages
-      priority: 1
-      type: integer
-    name: v1
-    schema:
-      openAPIV3Schema:
-        description: ClusterPolicy declares validation, mutation, and generation behaviors
-          for matching resources.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec declares policy behaviors.
-            properties:
-              applyRules:
-                description: ApplyRules controls how rules in a policy are applied.
-                  Rule are processed in the order of declaration. When set to `One`
-                  processing stops after a rule has been applied i.e. the rule matches
-                  and results in a pass, fail, or error. When set to `All` all rules
-                  in the policy are processed. The default is `All`.
-                enum:
-                - All
-                - One
-                type: string
-              background:
-                default: true
-                description: Background controls if rules are applied to existing
-                  resources during a background scan. Optional. Default value is "true".
-                  The value must be set to "false" if the policy rule uses variables
-                  that are only available in the admission review request (e.g. user
-                  name).
-                type: boolean
-              failurePolicy:
-                description: FailurePolicy defines how unexpected policy errors and
-                  webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. This field should not be
-                  accessed directly, instead `GetFailurePolicy()` should be used.
-                  Allowed values are Ignore or Fail. Defaults to Fail.
-                enum:
-                - Ignore
-                - Fail
-                type: string
-              generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
-                type: boolean
-              mutateExistingOnPolicyUpdate:
-                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
-                  policy is applied on policy events. Default value is "false".
-                type: boolean
-              rules:
-                description: Rules is a list of Rule instances. A Policy contains
-                  multiple rules and each rule can validate, mutate, or generate resources.
-                items:
-                  description: Rule defines a validation, mutation, or generation
-                    control for matching resources. Each rules contains a match declaration
-                    to select resources, and an optional exclude declaration to specify
-                    which resources to exclude.
-                  properties:
-                    context:
-                      description: Context defines variables and data sources that
-                        can be used during rule execution.
-                      items:
-                        description: ContextEntry adds variables and data sources
-                          to a rule Context. Either a ConfigMap reference or a APILookup
-                          must be provided.
-                        properties:
-                          apiCall:
-                            description: APICall is an HTTP request to the Kubernetes
-                              API server, or other JSON web service. The data returned
-                              is stored in the context with the name for the context
-                              entry.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the JSON response
-                                  returned from the server. For example a JMESPath
-                                  of "items | length(@)" applied to the API server
-                                  response for the URLPath "/apis/apps/v1/deployments"
-                                  will return the total count of deployments across
-                                  all namespaces.
-                                type: string
-                              service:
-                                description: Service is an API call to a JSON web
-                                  service
-                                properties:
-                                  caBundle:
-                                    description: CABundle is a PEM encoded CA bundle
-                                      which will be used to validate the server certificate.
-                                    type: string
-                                  data:
-                                    description: Data specifies the POST data sent
-                                      to the server.
-                                    items:
-                                      description: RequestData contains the HTTP POST
-                                        data
-                                      properties:
-                                        key:
-                                          description: Key is a unique identifier
-                                            for the data value
-                                          type: string
-                                        value:
-                                          description: Value is the data value
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      required:
-                                      - key
-                                      - value
-                                      type: object
-                                    type: array
-                                  requestType:
-                                    default: GET
-                                    description: Method is the HTTP request type (GET
-                                      or POST).
-                                    enum:
-                                    - GET
-                                    - POST
-                                    type: string
-                                  urlPath:
-                                    description: URL is the JSON web service URL.
-                                      The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                    type: string
-                                required:
-                                - requestType
-                                - urlPath
-                                type: object
-                              urlPath:
-                                description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                  The format required is the same format used by the
-                                  `kubectl get --raw` command.
-                                type: string
-                            type: object
-                          configMap:
-                            description: ConfigMap is the ConfigMap reference.
-                            properties:
-                              name:
-                                description: Name is the ConfigMap name.
-                                type: string
-                              namespace:
-                                description: Namespace is the ConfigMap namespace.
-                                type: string
-                            required:
-                            - name
-                            type: object
-                          imageRegistry:
-                            description: ImageRegistry defines requests to an OCI/Docker
-                              V2 registry to fetch image details.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the ImageData struct
-                                  returned as a result of processing the image reference.
-                                type: string
-                              reference:
-                                description: 'Reference is image reference to a container
-                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
-                                type: string
-                            required:
-                            - reference
-                            type: object
-                          name:
-                            description: Name is the variable name.
-                            type: string
-                          variable:
-                            description: Variable defines an arbitrary JMESPath context
-                              variable that can be defined inline.
-                            properties:
-                              default:
-                                description: Default is an optional arbitrary JSON
-                                  object that the variable may take if the JMESPath
-                                  expression evaluates to nil
-                                x-kubernetes-preserve-unknown-fields: true
-                              jmesPath:
-                                description: JMESPath is an optional JMESPath Expression
-                                  that can be used to transform the variable.
-                                type: string
-                              value:
-                                description: Value is any arbitrary JSON object representable
-                                  in YAML or JSON form.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                        type: object
-                      type: array
-                    exclude:
-                      description: ExcludeResources defines when this policy rule
-                        should not be applied. The exclude criteria can include resource
-                        information (e.g. kind, name, namespace, labels) and admission
-                        review request information like the name or role.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified. Requires at least
-                            one tag to be specified when under MatchResources. Specifying
-                            ResourceDescription directly under match is being deprecated.
-                            Please specify under "any" or "all" instead.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    generate:
-                      description: Generation is used to create new resources.
-                      properties:
-                        apiVersion:
-                          description: APIVersion specifies resource apiVersion.
-                          type: string
-                        clone:
-                          description: Clone specifies the source resource used to
-                            populate each generated resource. At most one of Data
-                            or Clone can be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          properties:
-                            name:
-                              description: Name specifies name of the resource.
-                              type: string
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                          type: object
-                        cloneList:
-                          description: CloneList specifies the list of source resource
-                            used to populate each generated resource.
-                          properties:
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                            selector:
-                              description: Selector is a label selector. Label keys
-                                and values in `matchLabels`. wildcard characters are
-                                not supported.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        data:
-                          description: Data provides the resource declaration used
-                            to populate each generated resource. At most one of Data
-                            or Clone must be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          x-kubernetes-preserve-unknown-fields: true
-                        kind:
-                          description: Kind specifies resource kind.
-                          type: string
-                        name:
-                          description: Name specifies the resource name.
-                          type: string
-                        namespace:
-                          description: Namespace specifies resource namespace.
-                          type: string
-                        synchronize:
-                          description: Synchronize controls if generated resources
-                            should be kept in-sync with their source resource. If
-                            Synchronize is set to "true" changes to generated resources
-                            will be overwritten with resource data from Data or the
-                            resource specified in the Clone declaration. Optional.
-                            Defaults to "false" if not specified.
-                          type: boolean
-                      type: object
-                    imageExtractors:
-                      additionalProperties:
-                        items:
-                          properties:
-                            key:
-                              description: Key is an optional name of the field within
-                                'path' that will be used to uniquely identify an image.
-                                Note - this field MUST be unique.
-                              type: string
-                            name:
-                              description: Name is the entry the image will be available
-                                under 'images.' in the context. If this field
-                                is not defined, image entries will appear under 'images.custom'.
-                              type: string
-                            path:
-                              description: Path is the path to the object containing
-                                the image field in a custom resource. It should be
-                                slash-separated. Each slash-separated key must be
-                                a valid YAML key or a wildcard '*'. Wildcard keys
-                                are expanded in case of arrays or objects.
-                              type: string
-                            value:
-                              description: Value is an optional name of the field
-                                within 'path' that points to the image URI. This is
-                                useful when a custom 'key' is also defined.
-                              type: string
-                          required:
-                          - path
-                          type: object
-                        type: array
-                      description: ImageExtractors defines a mapping from kinds to
-                        ImageExtractorConfigs. This config is only valid for verifyImages
-                        rules.
-                      type: object
-                    match:
-                      description: MatchResources defines when this policy rule should
-                        be applied. The match criteria can include resource information
-                        (e.g. kind, name, namespace, labels) and admission review
-                        request information like the user name or role. At least one
-                        kind is required.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified. Requires at least
-                            one tag to be specified when under MatchResources. Specifying
-                            ResourceDescription directly under match is being deprecated.
-                            Please specify under "any" or "all" instead.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    mutate:
-                      description: Mutation is used to modify matching resources.
-                      properties:
-                        foreach:
-                          description: ForEach applies mutation rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              patchStrategicMerge:
-                                description: PatchStrategicMerge is a strategic merge
-                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                x-kubernetes-preserve-unknown-fields: true
-                              patchesJson6902:
-                                description: PatchesJSON6902 is a list of RFC 6902
-                                  JSON Patch declarations used to modify resources.
-                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                type: string
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        patchStrategicMerge:
-                          description: PatchStrategicMerge is a strategic merge patch
-                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                          x-kubernetes-preserve-unknown-fields: true
-                        patchesJson6902:
-                          description: PatchesJSON6902 is a list of RFC 6902 JSON
-                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                          type: string
-                        targets:
-                          description: Targets defines the target resources to be
-                            mutated.
-                          items:
-                            properties:
-                              apiVersion:
-                                description: APIVersion specifies resource apiVersion.
-                                type: string
-                              kind:
-                                description: Kind specifies resource kind.
-                                type: string
-                              name:
-                                description: Name specifies the resource name.
-                                type: string
-                              namespace:
-                                description: Namespace specifies resource namespace.
-                                type: string
-                            type: object
-                          type: array
-                      type: object
-                    name:
-                      description: Name is a label to identify the rule, It must be
-                        unique within the policy.
-                      maxLength: 63
-                      type: string
-                    preconditions:
-                      description: 'Preconditions are used to determine if a policy
-                        rule should be applied by evaluating a set of conditions.
-                        The declaration can contain nested `any` or `all` statements.
-                        A direct list of conditions (without `any` or `all` statements
-                        is supported for backwards compatibility but will be deprecated
-                        in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                      x-kubernetes-preserve-unknown-fields: true
-                    validate:
-                      description: Validation is used to validate matching resources.
-                      properties:
-                        anyPattern:
-                          description: AnyPattern specifies list of validation patterns.
-                            At least one of the patterns must be satisfied for the
-                            validation rule to succeed.
-                          x-kubernetes-preserve-unknown-fields: true
-                        deny:
-                          description: Deny defines conditions used to pass or fail
-                            a validation rule.
-                          properties:
-                            conditions:
-                              description: 'Multiple conditions can be declared under
-                                an `any` or `all` statement. A direct list of conditions
-                                (without `any` or `all` statements) is also supported
-                                for backwards compatibility but will be deprecated
-                                in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                              x-kubernetes-preserve-unknown-fields: true
-                          type: object
-                        foreach:
-                          description: ForEach applies validate rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              anyPattern:
-                                description: AnyPattern specifies list of validation
-                                  patterns. At least one of the patterns must be satisfied
-                                  for the validation rule to succeed.
-                                x-kubernetes-preserve-unknown-fields: true
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              deny:
-                                description: Deny defines conditions used to pass
-                                  or fail a validation rule.
-                                properties:
-                                  conditions:
-                                    description: 'Multiple conditions can be declared
-                                      under an `any` or `all` statement. A direct
-                                      list of conditions (without `any` or `all` statements)
-                                      is also supported for backwards compatibility
-                                      but will be deprecated in the next major release.
-                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              elementScope:
-                                description: ElementScope specifies whether to use
-                                  the current list element as the scope for validation.
-                                  Defaults to "true" if not specified. When set to
-                                  "false", "request.object" is used as the validation
-                                  scope within the foreach block to allow referencing
-                                  other elements in the subtree.
-                                type: boolean
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              pattern:
-                                description: Pattern specifies an overlay-style pattern
-                                  used to check resources.
-                                x-kubernetes-preserve-unknown-fields: true
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        manifests:
-                          description: Manifest specifies conditions for manifest
-                            verification
-                          properties:
-                            annotationDomain:
-                              description: AnnotationDomain is custom domain of annotation
-                                for message and signature. Default is "cosign.sigstore.dev".
-                              type: string
-                            attestors:
-                              description: Attestors specified the required attestors
-                                (i.e. authorities)
-                              items:
-                                properties:
-                                  count:
-                                    description: Count specifies the required number
-                                      of entries that must match. If the count is
-                                      null, all entries must match (a logical AND).
-                                      If the count is 1, at least one entry must match
-                                      (a logical OR). If the count contains a value
-                                      N, then N must be less than or equal to the
-                                      size of entries, and at least N entries must
-                                      match.
-                                    minimum: 1
-                                    type: integer
-                                  entries:
-                                    description: Entries contains the available attestors.
-                                      An attestor can be a static key, attributes
-                                      for keyless verification, or a nested attestor
-                                      declaration.
-                                    items:
-                                      properties:
-                                        annotations:
-                                          additionalProperties:
-                                            type: string
-                                          description: Annotations are used for image
-                                            verification. Every specified key-value
-                                            pair must exist and match in the verified
-                                            payload. The payload may contain other
-                                            key-value pairs.
-                                          type: object
-                                        attestor:
-                                          description: Attestor is a nested AttestorSet
-                                            used to specify a more complex set of
-                                            match authorities
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        certificates:
-                                          description: Certificates specifies one
-                                            or more certificates
-                                          properties:
-                                            cert:
-                                              description: Certificate is an optional
-                                                PEM encoded public certificate.
-                                              type: string
-                                            certChain:
-                                              description: CertificateChain is an
-                                                optional PEM encoded set of certificates
-                                                used to verify
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                          type: object
-                                        keyless:
-                                          description: Keyless is a set of attribute
-                                            used to verify a Sigstore keyless attestor.
-                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                          properties:
-                                            additionalExtensions:
-                                              additionalProperties:
-                                                type: string
-                                              description: AdditionalExtensions are
-                                                certificate-extensions used for keyless
-                                                signing.
-                                              type: object
-                                            issuer:
-                                              description: Issuer is the certificate
-                                                issuer used for keyless signing.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked and a root certificate chain
-                                                is expected instead. If an empty object
-                                                is provided the public instance of
-                                                Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            roots:
-                                              description: Roots is an optional set
-                                                of PEM encoded trusted root certificates.
-                                                If not provided, the system roots
-                                                are used.
-                                              type: string
-                                            subject:
-                                              description: Subject is the verified
-                                                identity used for keyless signing,
-                                                for example the email address
-                                              type: string
-                                          type: object
-                                        keys:
-                                          description: Keys specifies one or more
-                                            public keys
-                                          properties:
-                                            kms:
-                                              description: 'KMS provides the URI to
-                                                the public key stored in a Key Management
-                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                              type: string
-                                            publicKeys:
-                                              description: Keys is a set of X.509
-                                                public keys used to verify image signatures.
-                                                The keys can be directly specified
-                                                or can be a variable reference to
-                                                a key specified in a ConfigMap (see
-                                                https://kyverno.io/docs/writing-policies/variables/),
-                                                or reference a standard Kubernetes
-                                                Secret elsewhere in the cluster by
-                                                specifying it in the format "k8s:///".
-                                                The named Secret must specify a key
-                                                `cosign.pub` containing the public
-                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                When multiple keys are specified each
-                                                key is processed as a separate staticKey
-                                                entry (.attestors[*].entries.keys)
-                                                within the set of attestors and the
-                                                count is applied across the keys.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            secret:
-                                              description: Reference to a Secret resource
-                                                that contains a public key
-                                              properties:
-                                                name:
-                                                  description: Name of the secret.
-                                                    The provided secret must contain
-                                                    a key named cosign.pub.
-                                                  type: string
-                                                namespace:
-                                                  description: Namespace name where
-                                                    the Secret exists.
-                                                  type: string
-                                              required:
-                                              - name
-                                              - namespace
-                                              type: object
-                                            signatureAlgorithm:
-                                              default: sha256
-                                              description: Specify signature algorithm
-                                                for public keys. Supported values
-                                                are sha256 and sha512
-                                              type: string
-                                          type: object
-                                        repository:
-                                          description: Repository is an optional alternate
-                                            OCI repository to use for signatures and
-                                            attestations that match this rule. If
-                                            specified Repository will override other
-                                            OCI image repository locations for this
-                                            Attestor.
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            dryRun:
-                              description: DryRun configuration
-                              properties:
-                                enable:
-                                  type: boolean
-                                namespace:
-                                  type: string
-                              type: object
-                            ignoreFields:
-                              description: Fields which will be ignored while comparing
-                                manifests.
-                              items:
-                                properties:
-                                  fields:
-                                    items:
-                                      type: string
-                                    type: array
-                                  objects:
-                                    items:
-                                      properties:
-                                        group:
-                                          type: string
-                                        kind:
-                                          type: string
-                                        name:
-                                          type: string
-                                        namespace:
-                                          type: string
-                                        version:
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            repository:
-                              description: Repository is an optional alternate OCI
-                                repository to use for resource bundle reference. The
-                                repository can be overridden per Attestor or Attestation.
-                              type: string
-                          type: object
-                        message:
-                          description: Message specifies a custom message to be displayed
-                            on failure.
-                          type: string
-                        pattern:
-                          description: Pattern specifies an overlay-style pattern
-                            used to check resources.
-                          x-kubernetes-preserve-unknown-fields: true
-                        podSecurity:
-                          description: PodSecurity applies exemptions for Kubernetes
-                            Pod Security admission by specifying exclusions for Pod
-                            Security Standards controls.
-                          properties:
-                            exclude:
-                              description: Exclude specifies the Pod Security Standard
-                                controls to be excluded.
-                              items:
-                                description: PodSecurityStandard specifies the Pod
-                                  Security Standard controls to be excluded.
-                                properties:
-                                  controlName:
-                                    description: 'ControlName specifies the name of
-                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                    enum:
-                                    - HostProcess
-                                    - Host Namespaces
-                                    - Privileged Containers
-                                    - Capabilities
-                                    - HostPath Volumes
-                                    - Host Ports
-                                    - AppArmor
-                                    - SELinux
-                                    - /proc Mount Type
-                                    - Seccomp
-                                    - Sysctls
-                                    - Volume Types
-                                    - Privilege Escalation
-                                    - Running as Non-root
-                                    - Running as Non-root user
-                                    type: string
-                                  images:
-                                    description: 'Images selects matching containers
-                                      and applies the container level PSS. Each image
-                                      is the image name consisting of the registry
-                                      address, repository, image, and tag. Empty list
-                                      matches no containers, PSS checks are applied
-                                      at the pod level only. Wildcards (''*'' and
-                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - controlName
-                                type: object
-                              type: array
-                            level:
-                              description: Level defines the Pod Security Standard
-                                level to be applied to workloads. Allowed values are
-                                privileged, baseline, and restricted.
-                              enum:
-                              - privileged
-                              - baseline
-                              - restricted
-                              type: string
-                            version:
-                              description: Version defines the Pod Security Standard
-                                versions that Kubernetes supports. Allowed values
-                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
-                              enum:
-                              - v1.19
-                              - v1.20
-                              - v1.21
-                              - v1.22
-                              - v1.23
-                              - v1.24
-                              - v1.25
-                              - latest
-                              type: string
-                          type: object
-                      type: object
-                    verifyImages:
-                      description: VerifyImages is used to verify image signatures
-                        and mutate them to add a digest
-                      items:
-                        description: ImageVerification validates that images that
-                          match the specified pattern are signed with the supplied
-                          public key. Once the image is verified it is mutated to
-                          include the SHA digest retrieved during the registration.
-                        properties:
-                          additionalExtensions:
-                            additionalProperties:
-                              type: string
-                            description: AdditionalExtensions are certificate-extensions
-                              used for keyless signing. Deprecated.
-                            type: object
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            description: Annotations are used for image verification.
-                              Every specified key-value pair must exist and match
-                              in the verified payload. The payload may contain other
-                              key-value pairs. Deprecated. Use annotations per Attestor
-                              instead.
-                            type: object
-                          attestations:
-                            description: Attestations are optional checks for signed
-                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
-                              Kyverno fetches signed attestations from the OCI registry
-                              and decodes them into a list of Statement declarations.
-                            items:
-                              description: Attestation are checks for signed in-toto
-                                Statements that are used to verify the image. See
-                                https://github.com/in-toto/attestation. Kyverno fetches
-                                signed attestations from the OCI registry and decodes
-                                them into a list of Statements.
-                              properties:
-                                attestors:
-                                  description: Attestors specify the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                conditions:
-                                  description: Conditions are used to verify attributes
-                                    within a Predicate. If no Conditions are specified
-                                    the attestation check is satisfied as long there
-                                    are predicates that match the predicate type.
-                                  items:
-                                    description: AnyAllConditions consists of conditions
-                                      wrapped denoting a logical criteria to be fulfilled.
-                                      AnyConditions get fulfilled when at least one
-                                      of its sub-conditions passes. AllConditions
-                                      get fulfilled only when all of its sub-conditions
-                                      pass.
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                predicateType:
-                                  description: PredicateType defines the type of Predicate
-                                    contained within the Statement.
-                                  type: string
-                              required:
-                              - predicateType
-                              type: object
-                            type: array
-                          attestors:
-                            description: Attestors specified the required attestors
-                              (i.e. authorities)
-                            items:
-                              properties:
-                                count:
-                                  description: Count specifies the required number
-                                    of entries that must match. If the count is null,
-                                    all entries must match (a logical AND). If the
-                                    count is 1, at least one entry must match (a logical
-                                    OR). If the count contains a value N, then N must
-                                    be less than or equal to the size of entries,
-                                    and at least N entries must match.
-                                  minimum: 1
-                                  type: integer
-                                entries:
-                                  description: Entries contains the available attestors.
-                                    An attestor can be a static key, attributes for
-                                    keyless verification, or a nested attestor declaration.
-                                  items:
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations are used for image
-                                          verification. Every specified key-value
-                                          pair must exist and match in the verified
-                                          payload. The payload may contain other key-value
-                                          pairs.
-                                        type: object
-                                      attestor:
-                                        description: Attestor is a nested AttestorSet
-                                          used to specify a more complex set of match
-                                          authorities
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      certificates:
-                                        description: Certificates specifies one or
-                                          more certificates
-                                        properties:
-                                          cert:
-                                            description: Certificate is an optional
-                                              PEM encoded public certificate.
-                                            type: string
-                                          certChain:
-                                            description: CertificateChain is an optional
-                                              PEM encoded set of certificates used
-                                              to verify
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                        type: object
-                                      keyless:
-                                        description: Keyless is a set of attribute
-                                          used to verify a Sigstore keyless attestor.
-                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                        properties:
-                                          additionalExtensions:
-                                            additionalProperties:
-                                              type: string
-                                            description: AdditionalExtensions are
-                                              certificate-extensions used for keyless
-                                              signing.
-                                            type: object
-                                          issuer:
-                                            description: Issuer is the certificate
-                                              issuer used for keyless signing.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked
-                                              and a root certificate chain is expected
-                                              instead. If an empty object is provided
-                                              the public instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          roots:
-                                            description: Roots is an optional set
-                                              of PEM encoded trusted root certificates.
-                                              If not provided, the system roots are
-                                              used.
-                                            type: string
-                                          subject:
-                                            description: Subject is the verified identity
-                                              used for keyless signing, for example
-                                              the email address
-                                            type: string
-                                        type: object
-                                      keys:
-                                        description: Keys specifies one or more public
-                                          keys
-                                        properties:
-                                          kms:
-                                            description: 'KMS provides the URI to
-                                              the public key stored in a Key Management
-                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                            type: string
-                                          publicKeys:
-                                            description: Keys is a set of X.509 public
-                                              keys used to verify image signatures.
-                                              The keys can be directly specified or
-                                              can be a variable reference to a key
-                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                              or reference a standard Kubernetes Secret
-                                              elsewhere in the cluster by specifying
-                                              it in the format "k8s:///".
-                                              The named Secret must specify a key
-                                              `cosign.pub` containing the public key
-                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                              When multiple keys are specified each
-                                              key is processed as a separate staticKey
-                                              entry (.attestors[*].entries.keys) within
-                                              the set of attestors and the count is
-                                              applied across the keys.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          secret:
-                                            description: Reference to a Secret resource
-                                              that contains a public key
-                                            properties:
-                                              name:
-                                                description: Name of the secret. The
-                                                  provided secret must contain a key
-                                                  named cosign.pub.
-                                                type: string
-                                              namespace:
-                                                description: Namespace name where
-                                                  the Secret exists.
-                                                type: string
-                                            required:
-                                            - name
-                                            - namespace
-                                            type: object
-                                          signatureAlgorithm:
-                                            default: sha256
-                                            description: Specify signature algorithm
-                                              for public keys. Supported values are
-                                              sha256 and sha512
-                                            type: string
-                                        type: object
-                                      repository:
-                                        description: Repository is an optional alternate
-                                          OCI repository to use for signatures and
-                                          attestations that match this rule. If specified
-                                          Repository will override other OCI image
-                                          repository locations for this Attestor.
-                                        type: string
-                                    type: object
-                                  type: array
-                              type: object
-                            type: array
-                          image:
-                            description: 'Image is the image name consisting of the
-                              registry address, repository, image, and tag. Wildcards
-                              (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-                              Deprecated. Use ImageReferences instead.'
-                            type: string
-                          imageReferences:
-                            description: 'ImageReferences is a list of matching image
-                              reference patterns. At least one pattern in the list
-                              must match the image for the rule to apply. Each image
-                              reference consists of a registry address (defaults to
-                              docker.io), repository, image, and tag (defaults to
-                              latest). Wildcards (''*'' and ''?'') are allowed. See:
-                              https://kubernetes.io/docs/concepts/containers/images.'
-                            items:
-                              type: string
-                            type: array
-                          issuer:
-                            description: Issuer is the certificate issuer used for
-                              keyless signing. Deprecated. Use KeylessAttestor instead.
-                            type: string
-                          key:
-                            description: Key is the PEM encoded public key that the
-                              image or attestation is signed with. Deprecated. Use
-                              StaticKeyAttestor instead.
-                            type: string
-                          mutateDigest:
-                            default: true
-                            description: MutateDigest enables replacement of image
-                              tags with digests. Defaults to true.
-                            type: boolean
-                          repository:
-                            description: Repository is an optional alternate OCI repository
-                              to use for image signatures and attestations that match
-                              this rule. If specified Repository will override the
-                              default OCI image repository configured for the installation.
-                              The repository can also be overridden per Attestor or
-                              Attestation.
-                            type: string
-                          required:
-                            default: true
-                            description: Required validates that images are verified
-                              i.e. have matched passed a signature or attestation
-                              check.
-                            type: boolean
-                          roots:
-                            description: Roots is the PEM encoded Root certificate
-                              chain used for keyless signing Deprecated. Use KeylessAttestor
-                              instead.
-                            type: string
-                          subject:
-                            description: Subject is the identity used for keyless
-                              signing, for example an email address Deprecated. Use
-                              KeylessAttestor instead.
-                            type: string
-                          verifyDigest:
-                            default: true
-                            description: VerifyDigest validates that images have a
-                              digest.
-                            type: boolean
-                        type: object
-                      type: array
-                  type: object
-                type: array
-              schemaValidation:
-                description: SchemaValidation skips validation checks for policies
-                  as well as patched resources. Optional. The default value is set
-                  to "true", it must be set to "false" to disable the validation checks.
-                type: boolean
-              validationFailureAction:
-                default: Audit
-                description: ValidationFailureAction defines if a validation policy
-                  rule violation should block the admission review request (enforce),
-                  or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. Allowed values are audit or enforce.
-                  The default value is "Audit".
-                enum:
-                - audit
-                - enforce
-                - Audit
-                - Enforce
-                type: string
-              validationFailureActionOverrides:
-                description: ValidationFailureActionOverrides is a Cluster Policy
-                  attribute that specifies ValidationFailureAction namespace-wise.
-                  It overrides ValidationFailureAction for the specified namespaces.
-                items:
-                  properties:
-                    action:
-                      description: ValidationFailureAction defines the policy validation
-                        failure action
-                      enum:
-                      - audit
-                      - enforce
-                      - Audit
-                      - Enforce
-                      type: string
-                    namespaceSelector:
-                      description: A label selector is a label query over a set of
-                        resources. The result of matchLabels and matchExpressions
-                        are ANDed. An empty label selector matches all objects. A
-                        null label selector matches no objects.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    namespaces:
-                      items:
-                        type: string
-                      type: array
-                  type: object
-                type: array
-              webhookTimeoutSeconds:
-                description: WebhookTimeoutSeconds specifies the maximum time in seconds
-                  allowed to apply this policy. After the configured time expires,
-                  the admission request may fail, or may simply ignore the policy
-                  results, based on the failure policy. The default timeout is 10s,
-                  the value must be between 1 and 30 seconds.
-                format: int32
-                type: integer
-            type: object
-          status:
-            description: Status contains policy runtime data.
-            properties:
-              autogen:
-                description: Autogen contains autogen status information
-                properties:
-                  rules:
-                    description: Rules is a list of Rule instances. It contains auto
-                      generated rules added for pod controllers
-                    items:
-                      description: Rule defines a validation, mutation, or generation
-                        control for matching resources. Each rules contains a match
-                        declaration to select resources, and an optional exclude declaration
-                        to specify which resources to exclude.
-                      properties:
-                        context:
-                          description: Context defines variables and data sources
-                            that can be used during rule execution.
-                          items:
-                            description: ContextEntry adds variables and data sources
-                              to a rule Context. Either a ConfigMap reference or a
-                              APILookup must be provided.
-                            properties:
-                              apiCall:
-                                description: APICall is an HTTP request to the Kubernetes
-                                  API server, or other JSON web service. The data
-                                  returned is stored in the context with the name
-                                  for the context entry.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      JSON response returned from the server. For
-                                      example a JMESPath of "items | length(@)" applied
-                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
-                                      will return the total count of deployments across
-                                      all namespaces.
-                                    type: string
-                                  service:
-                                    description: Service is an API call to a JSON
-                                      web service
-                                    properties:
-                                      caBundle:
-                                        description: CABundle is a PEM encoded CA
-                                          bundle which will be used to validate the
-                                          server certificate.
-                                        type: string
-                                      data:
-                                        description: Data specifies the POST data
-                                          sent to the server.
-                                        items:
-                                          description: RequestData contains the HTTP
-                                            POST data
-                                          properties:
-                                            key:
-                                              description: Key is a unique identifier
-                                                for the data value
-                                              type: string
-                                            value:
-                                              description: Value is the data value
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          required:
-                                          - key
-                                          - value
-                                          type: object
-                                        type: array
-                                      requestType:
-                                        default: GET
-                                        description: Method is the HTTP request type
-                                          (GET or POST).
-                                        enum:
-                                        - GET
-                                        - POST
-                                        type: string
-                                      urlPath:
-                                        description: URL is the JSON web service URL.
-                                          The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                        type: string
-                                    required:
-                                    - requestType
-                                    - urlPath
-                                    type: object
-                                  urlPath:
-                                    description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                      The format required is the same format used
-                                      by the `kubectl get --raw` command.
-                                    type: string
-                                type: object
-                              configMap:
-                                description: ConfigMap is the ConfigMap reference.
-                                properties:
-                                  name:
-                                    description: Name is the ConfigMap name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace is the ConfigMap namespace.
-                                    type: string
-                                required:
-                                - name
-                                type: object
-                              imageRegistry:
-                                description: ImageRegistry defines requests to an
-                                  OCI/Docker V2 registry to fetch image details.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      ImageData struct returned as a result of processing
-                                      the image reference.
-                                    type: string
-                                  reference:
-                                    description: 'Reference is image reference to
-                                      a container image in the registry. Example:
-                                      ghcr.io/kyverno/kyverno:latest'
-                                    type: string
-                                required:
-                                - reference
-                                type: object
-                              name:
-                                description: Name is the variable name.
-                                type: string
-                              variable:
-                                description: Variable defines an arbitrary JMESPath
-                                  context variable that can be defined inline.
-                                properties:
-                                  default:
-                                    description: Default is an optional arbitrary
-                                      JSON object that the variable may take if the
-                                      JMESPath expression evaluates to nil
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  jmesPath:
-                                    description: JMESPath is an optional JMESPath
-                                      Expression that can be used to transform the
-                                      variable.
-                                    type: string
-                                  value:
-                                    description: Value is any arbitrary JSON object
-                                      representable in YAML or JSON form.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                            type: object
-                          type: array
-                        exclude:
-                          description: ExcludeResources defines when this policy rule
-                            should not be applied. The exclude criteria can include
-                            resource information (e.g. kind, name, namespace, labels)
-                            and admission review request information like the name
-                            or role.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        generate:
-                          description: Generation is used to create new resources.
-                          properties:
-                            apiVersion:
-                              description: APIVersion specifies resource apiVersion.
-                              type: string
-                            clone:
-                              description: Clone specifies the source resource used
-                                to populate each generated resource. At most one of
-                                Data or Clone can be specified. If neither are provided,
-                                the generated resource will be created with default
-                                data only.
-                              properties:
-                                name:
-                                  description: Name specifies name of the resource.
-                                  type: string
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                              type: object
-                            cloneList:
-                              description: CloneList specifies the list of source
-                                resource used to populate each generated resource.
-                              properties:
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                                selector:
-                                  description: Selector is a label selector. Label
-                                    keys and values in `matchLabels`. wildcard characters
-                                    are not supported.
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            data:
-                              description: Data provides the resource declaration
-                                used to populate each generated resource. At most
-                                one of Data or Clone must be specified. If neither
-                                are provided, the generated resource will be created
-                                with default data only.
-                              x-kubernetes-preserve-unknown-fields: true
-                            kind:
-                              description: Kind specifies resource kind.
-                              type: string
-                            name:
-                              description: Name specifies the resource name.
-                              type: string
-                            namespace:
-                              description: Namespace specifies resource namespace.
-                              type: string
-                            synchronize:
-                              description: Synchronize controls if generated resources
-                                should be kept in-sync with their source resource.
-                                If Synchronize is set to "true" changes to generated
-                                resources will be overwritten with resource data from
-                                Data or the resource specified in the Clone declaration.
-                                Optional. Defaults to "false" if not specified.
-                              type: boolean
-                          type: object
-                        imageExtractors:
-                          additionalProperties:
-                            items:
-                              properties:
-                                key:
-                                  description: Key is an optional name of the field
-                                    within 'path' that will be used to uniquely identify
-                                    an image. Note - this field MUST be unique.
-                                  type: string
-                                name:
-                                  description: Name is the entry the image will be
-                                    available under 'images.' in the context.
-                                    If this field is not defined, image entries will
-                                    appear under 'images.custom'.
-                                  type: string
-                                path:
-                                  description: Path is the path to the object containing
-                                    the image field in a custom resource. It should
-                                    be slash-separated. Each slash-separated key must
-                                    be a valid YAML key or a wildcard '*'. Wildcard
-                                    keys are expanded in case of arrays or objects.
-                                  type: string
-                                value:
-                                  description: Value is an optional name of the field
-                                    within 'path' that points to the image URI. This
-                                    is useful when a custom 'key' is also defined.
-                                  type: string
-                              required:
-                              - path
-                              type: object
-                            type: array
-                          description: ImageExtractors defines a mapping from kinds
-                            to ImageExtractorConfigs. This config is only valid for
-                            verifyImages rules.
-                          type: object
-                        match:
-                          description: MatchResources defines when this policy rule
-                            should be applied. The match criteria can include resource
-                            information (e.g. kind, name, namespace, labels) and admission
-                            review request information like the user name or role.
-                            At least one kind is required.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        mutate:
-                          description: Mutation is used to modify matching resources.
-                          properties:
-                            foreach:
-                              description: ForEach applies mutation rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  patchStrategicMerge:
-                                    description: PatchStrategicMerge is a strategic
-                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  patchesJson6902:
-                                    description: PatchesJSON6902 is a list of RFC
-                                      6902 JSON Patch declarations used to modify
-                                      resources. See https://tools.ietf.org/html/rfc6902
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                    type: string
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            patchStrategicMerge:
-                              description: PatchStrategicMerge is a strategic merge
-                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                              x-kubernetes-preserve-unknown-fields: true
-                            patchesJson6902:
-                              description: PatchesJSON6902 is a list of RFC 6902 JSON
-                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                              type: string
-                            targets:
-                              description: Targets defines the target resources to
-                                be mutated.
-                              items:
-                                properties:
-                                  apiVersion:
-                                    description: APIVersion specifies resource apiVersion.
-                                    type: string
-                                  kind:
-                                    description: Kind specifies resource kind.
-                                    type: string
-                                  name:
-                                    description: Name specifies the resource name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace specifies resource namespace.
-                                    type: string
-                                type: object
-                              type: array
-                          type: object
-                        name:
-                          description: Name is a label to identify the rule, It must
-                            be unique within the policy.
-                          maxLength: 63
-                          type: string
-                        preconditions:
-                          description: 'Preconditions are used to determine if a policy
-                            rule should be applied by evaluating a set of conditions.
-                            The declaration can contain nested `any` or `all` statements.
-                            A direct list of conditions (without `any` or `all` statements
-                            is supported for backwards compatibility but will be deprecated
-                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                          x-kubernetes-preserve-unknown-fields: true
-                        validate:
-                          description: Validation is used to validate matching resources.
-                          properties:
-                            anyPattern:
-                              description: AnyPattern specifies list of validation
-                                patterns. At least one of the patterns must be satisfied
-                                for the validation rule to succeed.
-                              x-kubernetes-preserve-unknown-fields: true
-                            deny:
-                              description: Deny defines conditions used to pass or
-                                fail a validation rule.
-                              properties:
-                                conditions:
-                                  description: 'Multiple conditions can be declared
-                                    under an `any` or `all` statement. A direct list
-                                    of conditions (without `any` or `all` statements)
-                                    is also supported for backwards compatibility
-                                    but will be deprecated in the next major release.
-                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                  x-kubernetes-preserve-unknown-fields: true
-                              type: object
-                            foreach:
-                              description: ForEach applies validate rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  anyPattern:
-                                    description: AnyPattern specifies list of validation
-                                      patterns. At least one of the patterns must
-                                      be satisfied for the validation rule to succeed.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  deny:
-                                    description: Deny defines conditions used to pass
-                                      or fail a validation rule.
-                                    properties:
-                                      conditions:
-                                        description: 'Multiple conditions can be declared
-                                          under an `any` or `all` statement. A direct
-                                          list of conditions (without `any` or `all`
-                                          statements) is also supported for backwards
-                                          compatibility but will be deprecated in
-                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  elementScope:
-                                    description: ElementScope specifies whether to
-                                      use the current list element as the scope for
-                                      validation. Defaults to "true" if not specified.
-                                      When set to "false", "request.object" is used
-                                      as the validation scope within the foreach block
-                                      to allow referencing other elements in the subtree.
-                                    type: boolean
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  pattern:
-                                    description: Pattern specifies an overlay-style
-                                      pattern used to check resources.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            manifests:
-                              description: Manifest specifies conditions for manifest
-                                verification
-                              properties:
-                                annotationDomain:
-                                  description: AnnotationDomain is custom domain of
-                                    annotation for message and signature. Default
-                                    is "cosign.sigstore.dev".
-                                  type: string
-                                attestors:
-                                  description: Attestors specified the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                dryRun:
-                                  description: DryRun configuration
-                                  properties:
-                                    enable:
-                                      type: boolean
-                                    namespace:
-                                      type: string
-                                  type: object
-                                ignoreFields:
-                                  description: Fields which will be ignored while
-                                    comparing manifests.
-                                  items:
-                                    properties:
-                                      fields:
-                                        items:
-                                          type: string
-                                        type: array
-                                      objects:
-                                        items:
-                                          properties:
-                                            group:
-                                              type: string
-                                            kind:
-                                              type: string
-                                            name:
-                                              type: string
-                                            namespace:
-                                              type: string
-                                            version:
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                repository:
-                                  description: Repository is an optional alternate
-                                    OCI repository to use for resource bundle reference.
-                                    The repository can be overridden per Attestor
-                                    or Attestation.
-                                  type: string
-                              type: object
-                            message:
-                              description: Message specifies a custom message to be
-                                displayed on failure.
-                              type: string
-                            pattern:
-                              description: Pattern specifies an overlay-style pattern
-                                used to check resources.
-                              x-kubernetes-preserve-unknown-fields: true
-                            podSecurity:
-                              description: PodSecurity applies exemptions for Kubernetes
-                                Pod Security admission by specifying exclusions for
-                                Pod Security Standards controls.
-                              properties:
-                                exclude:
-                                  description: Exclude specifies the Pod Security
-                                    Standard controls to be excluded.
-                                  items:
-                                    description: PodSecurityStandard specifies the
-                                      Pod Security Standard controls to be excluded.
-                                    properties:
-                                      controlName:
-                                        description: 'ControlName specifies the name
-                                          of the Pod Security Standard control. See:
-                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                        enum:
-                                        - HostProcess
-                                        - Host Namespaces
-                                        - Privileged Containers
-                                        - Capabilities
-                                        - HostPath Volumes
-                                        - Host Ports
-                                        - AppArmor
-                                        - SELinux
-                                        - /proc Mount Type
-                                        - Seccomp
-                                        - Sysctls
-                                        - Volume Types
-                                        - Privilege Escalation
-                                        - Running as Non-root
-                                        - Running as Non-root user
-                                        type: string
-                                      images:
-                                        description: 'Images selects matching containers
-                                          and applies the container level PSS. Each
-                                          image is the image name consisting of the
-                                          registry address, repository, image, and
-                                          tag. Empty list matches no containers, PSS
-                                          checks are applied at the pod level only.
-                                          Wildcards (''*'' and ''?'') are allowed.
-                                          See: https://kubernetes.io/docs/concepts/containers/images.'
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - controlName
-                                    type: object
-                                  type: array
-                                level:
-                                  description: Level defines the Pod Security Standard
-                                    level to be applied to workloads. Allowed values
-                                    are privileged, baseline, and restricted.
-                                  enum:
-                                  - privileged
-                                  - baseline
-                                  - restricted
-                                  type: string
-                                version:
-                                  description: Version defines the Pod Security Standard
-                                    versions that Kubernetes supports. Allowed values
-                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
-                                  enum:
-                                  - v1.19
-                                  - v1.20
-                                  - v1.21
-                                  - v1.22
-                                  - v1.23
-                                  - v1.24
-                                  - v1.25
-                                  - latest
-                                  type: string
-                              type: object
-                          type: object
-                        verifyImages:
-                          description: VerifyImages is used to verify image signatures
-                            and mutate them to add a digest
-                          items:
-                            description: ImageVerification validates that images that
-                              match the specified pattern are signed with the supplied
-                              public key. Once the image is verified it is mutated
-                              to include the SHA digest retrieved during the registration.
-                            properties:
-                              additionalExtensions:
-                                additionalProperties:
-                                  type: string
-                                description: AdditionalExtensions are certificate-extensions
-                                  used for keyless signing. Deprecated.
-                                type: object
-                              annotations:
-                                additionalProperties:
-                                  type: string
-                                description: Annotations are used for image verification.
-                                  Every specified key-value pair must exist and match
-                                  in the verified payload. The payload may contain
-                                  other key-value pairs. Deprecated. Use annotations
-                                  per Attestor instead.
-                                type: object
-                              attestations:
-                                description: Attestations are optional checks for
-                                  signed in-toto Statements used to verify the image.
-                                  See https://github.com/in-toto/attestation. Kyverno
-                                  fetches signed attestations from the OCI registry
-                                  and decodes them into a list of Statement declarations.
-                                items:
-                                  description: Attestation are checks for signed in-toto
-                                    Statements that are used to verify the image.
-                                    See https://github.com/in-toto/attestation. Kyverno
-                                    fetches signed attestations from the OCI registry
-                                    and decodes them into a list of Statements.
-                                  properties:
-                                    attestors:
-                                      description: Attestors specify the required
-                                        attestors (i.e. authorities)
-                                      items:
-                                        properties:
-                                          count:
-                                            description: Count specifies the required
-                                              number of entries that must match. If
-                                              the count is null, all entries must
-                                              match (a logical AND). If the count
-                                              is 1, at least one entry must match
-                                              (a logical OR). If the count contains
-                                              a value N, then N must be less than
-                                              or equal to the size of entries, and
-                                              at least N entries must match.
-                                            minimum: 1
-                                            type: integer
-                                          entries:
-                                            description: Entries contains the available
-                                              attestors. An attestor can be a static
-                                              key, attributes for keyless verification,
-                                              or a nested attestor declaration.
-                                            items:
-                                              properties:
-                                                annotations:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: Annotations are used
-                                                    for image verification. Every
-                                                    specified key-value pair must
-                                                    exist and match in the verified
-                                                    payload. The payload may contain
-                                                    other key-value pairs.
-                                                  type: object
-                                                attestor:
-                                                  description: Attestor is a nested
-                                                    AttestorSet used to specify a
-                                                    more complex set of match authorities
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                certificates:
-                                                  description: Certificates specifies
-                                                    one or more certificates
-                                                  properties:
-                                                    cert:
-                                                      description: Certificate is
-                                                        an optional PEM encoded public
-                                                        certificate.
-                                                      type: string
-                                                    certChain:
-                                                      description: CertificateChain
-                                                        is an optional PEM encoded
-                                                        set of certificates used to
-                                                        verify
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                  type: object
-                                                keyless:
-                                                  description: Keyless is a set of
-                                                    attribute used to verify a Sigstore
-                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                                  properties:
-                                                    additionalExtensions:
-                                                      additionalProperties:
-                                                        type: string
-                                                      description: AdditionalExtensions
-                                                        are certificate-extensions
-                                                        used for keyless signing.
-                                                      type: object
-                                                    issuer:
-                                                      description: Issuer is the certificate
-                                                        issuer used for keyless signing.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked and a root
-                                                        certificate chain is expected
-                                                        instead. If an empty object
-                                                        is provided the public instance
-                                                        of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    roots:
-                                                      description: Roots is an optional
-                                                        set of PEM encoded trusted
-                                                        root certificates. If not
-                                                        provided, the system roots
-                                                        are used.
-                                                      type: string
-                                                    subject:
-                                                      description: Subject is the
-                                                        verified identity used for
-                                                        keyless signing, for example
-                                                        the email address
-                                                      type: string
-                                                  type: object
-                                                keys:
-                                                  description: Keys specifies one
-                                                    or more public keys
-                                                  properties:
-                                                    kms:
-                                                      description: 'KMS provides the
-                                                        URI to the public key stored
-                                                        in a Key Management System.
-                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                      type: string
-                                                    publicKeys:
-                                                      description: Keys is a set of
-                                                        X.509 public keys used to
-                                                        verify image signatures. The
-                                                        keys can be directly specified
-                                                        or can be a variable reference
-                                                        to a key specified in a ConfigMap
-                                                        (see https://kyverno.io/docs/writing-policies/variables/),
-                                                        or reference a standard Kubernetes
-                                                        Secret elsewhere in the cluster
-                                                        by specifying it in the format
-                                                        "k8s:///".
-                                                        The named Secret must specify
-                                                        a key `cosign.pub` containing
-                                                        the public key used for verification,
-                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                        When multiple keys are specified
-                                                        each key is processed as a
-                                                        separate staticKey entry (.attestors[*].entries.keys)
-                                                        within the set of attestors
-                                                        and the count is applied across
-                                                        the keys.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    secret:
-                                                      description: Reference to a
-                                                        Secret resource that contains
-                                                        a public key
-                                                      properties:
-                                                        name:
-                                                          description: Name of the
-                                                            secret. The provided secret
-                                                            must contain a key named
-                                                            cosign.pub.
-                                                          type: string
-                                                        namespace:
-                                                          description: Namespace name
-                                                            where the Secret exists.
-                                                          type: string
-                                                      required:
-                                                      - name
-                                                      - namespace
-                                                      type: object
-                                                    signatureAlgorithm:
-                                                      default: sha256
-                                                      description: Specify signature
-                                                        algorithm for public keys.
-                                                        Supported values are sha256
-                                                        and sha512
-                                                      type: string
-                                                  type: object
-                                                repository:
-                                                  description: Repository is an optional
-                                                    alternate OCI repository to use
-                                                    for signatures and attestations
-                                                    that match this rule. If specified
-                                                    Repository will override other
-                                                    OCI image repository locations
-                                                    for this Attestor.
-                                                  type: string
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    conditions:
-                                      description: Conditions are used to verify attributes
-                                        within a Predicate. If no Conditions are specified
-                                        the attestation check is satisfied as long
-                                        there are predicates that match the predicate
-                                        type.
-                                      items:
-                                        description: AnyAllConditions consists of
-                                          conditions wrapped denoting a logical criteria
-                                          to be fulfilled. AnyConditions get fulfilled
-                                          when at least one of its sub-conditions
-                                          passes. AllConditions get fulfilled only
-                                          when all of its sub-conditions pass.
-                                        properties:
-                                          all:
-                                            description: AllConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, all of the conditions need to
-                                              pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                          any:
-                                            description: AnyConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, at least one of the conditions
-                                              need to pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    predicateType:
-                                      description: PredicateType defines the type
-                                        of Predicate contained within the Statement.
-                                      type: string
-                                  required:
-                                  - predicateType
-                                  type: object
-                                type: array
-                              attestors:
-                                description: Attestors specified the required attestors
-                                  (i.e. authorities)
-                                items:
-                                  properties:
-                                    count:
-                                      description: Count specifies the required number
-                                        of entries that must match. If the count is
-                                        null, all entries must match (a logical AND).
-                                        If the count is 1, at least one entry must
-                                        match (a logical OR). If the count contains
-                                        a value N, then N must be less than or equal
-                                        to the size of entries, and at least N entries
-                                        must match.
-                                      minimum: 1
-                                      type: integer
-                                    entries:
-                                      description: Entries contains the available
-                                        attestors. An attestor can be a static key,
-                                        attributes for keyless verification, or a
-                                        nested attestor declaration.
-                                      items:
-                                        properties:
-                                          annotations:
-                                            additionalProperties:
-                                              type: string
-                                            description: Annotations are used for
-                                              image verification. Every specified
-                                              key-value pair must exist and match
-                                              in the verified payload. The payload
-                                              may contain other key-value pairs.
-                                            type: object
-                                          attestor:
-                                            description: Attestor is a nested AttestorSet
-                                              used to specify a more complex set of
-                                              match authorities
-                                            x-kubernetes-preserve-unknown-fields: true
-                                          certificates:
-                                            description: Certificates specifies one
-                                              or more certificates
-                                            properties:
-                                              cert:
-                                                description: Certificate is an optional
-                                                  PEM encoded public certificate.
-                                                type: string
-                                              certChain:
-                                                description: CertificateChain is an
-                                                  optional PEM encoded set of certificates
-                                                  used to verify
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                            type: object
-                                          keyless:
-                                            description: Keyless is a set of attribute
-                                              used to verify a Sigstore keyless attestor.
-                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                            properties:
-                                              additionalExtensions:
-                                                additionalProperties:
-                                                  type: string
-                                                description: AdditionalExtensions
-                                                  are certificate-extensions used
-                                                  for keyless signing.
-                                                type: object
-                                              issuer:
-                                                description: Issuer is the certificate
-                                                  issuer used for keyless signing.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked and a root certificate chain
-                                                  is expected instead. If an empty
-                                                  object is provided the public instance
-                                                  of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              roots:
-                                                description: Roots is an optional
-                                                  set of PEM encoded trusted root
-                                                  certificates. If not provided, the
-                                                  system roots are used.
-                                                type: string
-                                              subject:
-                                                description: Subject is the verified
-                                                  identity used for keyless signing,
-                                                  for example the email address
-                                                type: string
-                                            type: object
-                                          keys:
-                                            description: Keys specifies one or more
-                                              public keys
-                                            properties:
-                                              kms:
-                                                description: 'KMS provides the URI
-                                                  to the public key stored in a Key
-                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                type: string
-                                              publicKeys:
-                                                description: Keys is a set of X.509
-                                                  public keys used to verify image
-                                                  signatures. The keys can be directly
-                                                  specified or can be a variable reference
-                                                  to a key specified in a ConfigMap
-                                                  (see https://kyverno.io/docs/writing-policies/variables/),
-                                                  or reference a standard Kubernetes
-                                                  Secret elsewhere in the cluster
-                                                  by specifying it in the format "k8s:///".
-                                                  The named Secret must specify a
-                                                  key `cosign.pub` containing the
-                                                  public key used for verification,
-                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                  When multiple keys are specified
-                                                  each key is processed as a separate
-                                                  staticKey entry (.attestors[*].entries.keys)
-                                                  within the set of attestors and
-                                                  the count is applied across the
-                                                  keys.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              secret:
-                                                description: Reference to a Secret
-                                                  resource that contains a public
-                                                  key
-                                                properties:
-                                                  name:
-                                                    description: Name of the secret.
-                                                      The provided secret must contain
-                                                      a key named cosign.pub.
-                                                    type: string
-                                                  namespace:
-                                                    description: Namespace name where
-                                                      the Secret exists.
-                                                    type: string
-                                                required:
-                                                - name
-                                                - namespace
-                                                type: object
-                                              signatureAlgorithm:
-                                                default: sha256
-                                                description: Specify signature algorithm
-                                                  for public keys. Supported values
-                                                  are sha256 and sha512
-                                                type: string
-                                            type: object
-                                          repository:
-                                            description: Repository is an optional
-                                              alternate OCI repository to use for
-                                              signatures and attestations that match
-                                              this rule. If specified Repository will
-                                              override other OCI image repository
-                                              locations for this Attestor.
-                                            type: string
-                                        type: object
-                                      type: array
-                                  type: object
-                                type: array
-                              image:
-                                description: 'Image is the image name consisting of
-                                  the registry address, repository, image, and tag.
-                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-                                  Deprecated. Use ImageReferences instead.'
-                                type: string
-                              imageReferences:
-                                description: 'ImageReferences is a list of matching
-                                  image reference patterns. At least one pattern in
-                                  the list must match the image for the rule to apply.
-                                  Each image reference consists of a registry address
-                                  (defaults to docker.io), repository, image, and
-                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
-                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                items:
-                                  type: string
-                                type: array
-                              issuer:
-                                description: Issuer is the certificate issuer used
-                                  for keyless signing. Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              key:
-                                description: Key is the PEM encoded public key that
-                                  the image or attestation is signed with. Deprecated.
-                                  Use StaticKeyAttestor instead.
-                                type: string
-                              mutateDigest:
-                                default: true
-                                description: MutateDigest enables replacement of image
-                                  tags with digests. Defaults to true.
-                                type: boolean
-                              repository:
-                                description: Repository is an optional alternate OCI
-                                  repository to use for image signatures and attestations
-                                  that match this rule. If specified Repository will
-                                  override the default OCI image repository configured
-                                  for the installation. The repository can also be
-                                  overridden per Attestor or Attestation.
-                                type: string
-                              required:
-                                default: true
-                                description: Required validates that images are verified
-                                  i.e. have matched passed a signature or attestation
-                                  check.
-                                type: boolean
-                              roots:
-                                description: Roots is the PEM encoded Root certificate
-                                  chain used for keyless signing Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              subject:
-                                description: Subject is the identity used for keyless
-                                  signing, for example an email address Deprecated.
-                                  Use KeylessAttestor instead.
-                                type: string
-                              verifyDigest:
-                                default: true
-                                description: VerifyDigest validates that images have
-                                  a digest.
-                                type: boolean
-                            type: object
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              conditions:
-                description: Conditions is a list of conditions that apply to the
-                  policy
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              ready:
-                description: Ready indicates if the policy is ready to serve the admission
-                  request. Deprecated in favor of Conditions
-                type: boolean
-              rulecount:
-                description: RuleCount describes total number of rules in a policy
-                properties:
-                  generate:
-                    description: Count for generate rules in policy
-                    type: integer
-                  mutate:
-                    description: Count for mutate rules in policy
-                    type: integer
-                  validate:
-                    description: Count for validate rules in policy
-                    type: integer
-                  verifyimages:
-                    description: Count for verify image rules in policy
-                    type: integer
-                required:
-                - generate
-                - mutate
-                - validate
-                - verifyimages
-                type: object
-            required:
-            - ready
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .spec.background
-      name: Background
-      type: boolean
-    - jsonPath: .spec.validationFailureAction
-      name: Validate Action
-      type: string
-    - jsonPath: .spec.failurePolicy
-      name: Failure Policy
-      priority: 1
-      type: string
-    - jsonPath: .status.ready
-      name: Ready
-      type: boolean
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .status.rulecount.validate
-      name: Validate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.mutate
-      name: Mutate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.generate
-      name: Generate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.verifyimages
-      name: Verifyimages
-      priority: 1
-      type: integer
-    name: v2beta1
-    schema:
-      openAPIV3Schema:
-        description: ClusterPolicy declares validation, mutation, and generation behaviors
-          for matching resources.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec declares policy behaviors.
-            properties:
-              applyRules:
-                description: ApplyRules controls how rules in a policy are applied.
-                  Rule are processed in the order of declaration. When set to `One`
-                  processing stops after a rule has been applied i.e. the rule matches
-                  and results in a pass, fail, or error. When set to `All` all rules
-                  in the policy are processed. The default is `All`.
-                enum:
-                - All
-                - One
-                type: string
-              background:
-                default: true
-                description: Background controls if rules are applied to existing
-                  resources during a background scan. Optional. Default value is "true".
-                  The value must be set to "false" if the policy rule uses variables
-                  that are only available in the admission review request (e.g. user
-                  name).
-                type: boolean
-              failurePolicy:
-                description: FailurePolicy defines how unexpected policy errors and
-                  webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
-                enum:
-                - Ignore
-                - Fail
-                type: string
-              generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
-                type: boolean
-              mutateExistingOnPolicyUpdate:
-                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
-                  policy is applied on policy events. Default value is "false".
-                type: boolean
-              rules:
-                description: Rules is a list of Rule instances. A Policy contains
-                  multiple rules and each rule can validate, mutate, or generate resources.
-                items:
-                  description: Rule defines a validation, mutation, or generation
-                    control for matching resources. Each rules contains a match declaration
-                    to select resources, and an optional exclude declaration to specify
-                    which resources to exclude.
-                  properties:
-                    context:
-                      description: Context defines variables and data sources that
-                        can be used during rule execution.
-                      items:
-                        description: ContextEntry adds variables and data sources
-                          to a rule Context. Either a ConfigMap reference or a APILookup
-                          must be provided.
-                        properties:
-                          apiCall:
-                            description: APICall is an HTTP request to the Kubernetes
-                              API server, or other JSON web service. The data returned
-                              is stored in the context with the name for the context
-                              entry.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the JSON response
-                                  returned from the server. For example a JMESPath
-                                  of "items | length(@)" applied to the API server
-                                  response for the URLPath "/apis/apps/v1/deployments"
-                                  will return the total count of deployments across
-                                  all namespaces.
-                                type: string
-                              service:
-                                description: Service is an API call to a JSON web
-                                  service
-                                properties:
-                                  caBundle:
-                                    description: CABundle is a PEM encoded CA bundle
-                                      which will be used to validate the server certificate.
-                                    type: string
-                                  data:
-                                    description: Data specifies the POST data sent
-                                      to the server.
-                                    items:
-                                      description: RequestData contains the HTTP POST
-                                        data
-                                      properties:
-                                        key:
-                                          description: Key is a unique identifier
-                                            for the data value
-                                          type: string
-                                        value:
-                                          description: Value is the data value
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      required:
-                                      - key
-                                      - value
-                                      type: object
-                                    type: array
-                                  requestType:
-                                    default: GET
-                                    description: Method is the HTTP request type (GET
-                                      or POST).
-                                    enum:
-                                    - GET
-                                    - POST
-                                    type: string
-                                  urlPath:
-                                    description: URL is the JSON web service URL.
-                                      The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                    type: string
-                                required:
-                                - requestType
-                                - urlPath
-                                type: object
-                              urlPath:
-                                description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                  The format required is the same format used by the
-                                  `kubectl get --raw` command.
-                                type: string
-                            type: object
-                          configMap:
-                            description: ConfigMap is the ConfigMap reference.
-                            properties:
-                              name:
-                                description: Name is the ConfigMap name.
-                                type: string
-                              namespace:
-                                description: Namespace is the ConfigMap namespace.
-                                type: string
-                            required:
-                            - name
-                            type: object
-                          imageRegistry:
-                            description: ImageRegistry defines requests to an OCI/Docker
-                              V2 registry to fetch image details.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the ImageData struct
-                                  returned as a result of processing the image reference.
-                                type: string
-                              reference:
-                                description: 'Reference is image reference to a container
-                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
-                                type: string
-                            required:
-                            - reference
-                            type: object
-                          name:
-                            description: Name is the variable name.
-                            type: string
-                          variable:
-                            description: Variable defines an arbitrary JMESPath context
-                              variable that can be defined inline.
-                            properties:
-                              default:
-                                description: Default is an optional arbitrary JSON
-                                  object that the variable may take if the JMESPath
-                                  expression evaluates to nil
-                                x-kubernetes-preserve-unknown-fields: true
-                              jmesPath:
-                                description: JMESPath is an optional JMESPath Expression
-                                  that can be used to transform the variable.
-                                type: string
-                              value:
-                                description: Value is any arbitrary JSON object representable
-                                  in YAML or JSON form.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                        type: object
-                      type: array
-                    exclude:
-                      description: ExcludeResources defines when this policy rule
-                        should not be applied. The exclude criteria can include resource
-                        information (e.g. kind, name, namespace, labels) and admission
-                        review request information like the name or role.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                      type: object
-                    generate:
-                      description: Generation is used to create new resources.
-                      properties:
-                        apiVersion:
-                          description: APIVersion specifies resource apiVersion.
-                          type: string
-                        clone:
-                          description: Clone specifies the source resource used to
-                            populate each generated resource. At most one of Data
-                            or Clone can be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          properties:
-                            name:
-                              description: Name specifies name of the resource.
-                              type: string
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                          type: object
-                        cloneList:
-                          description: CloneList specifies the list of source resource
-                            used to populate each generated resource.
-                          properties:
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                            selector:
-                              description: Selector is a label selector. Label keys
-                                and values in `matchLabels`. wildcard characters are
-                                not supported.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        data:
-                          description: Data provides the resource declaration used
-                            to populate each generated resource. At most one of Data
-                            or Clone must be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          x-kubernetes-preserve-unknown-fields: true
-                        kind:
-                          description: Kind specifies resource kind.
-                          type: string
-                        name:
-                          description: Name specifies the resource name.
-                          type: string
-                        namespace:
-                          description: Namespace specifies resource namespace.
-                          type: string
-                        synchronize:
-                          description: Synchronize controls if generated resources
-                            should be kept in-sync with their source resource. If
-                            Synchronize is set to "true" changes to generated resources
-                            will be overwritten with resource data from Data or the
-                            resource specified in the Clone declaration. Optional.
-                            Defaults to "false" if not specified.
-                          type: boolean
-                      type: object
-                    imageExtractors:
-                      additionalProperties:
-                        items:
-                          properties:
-                            key:
-                              description: Key is an optional name of the field within
-                                'path' that will be used to uniquely identify an image.
-                                Note - this field MUST be unique.
-                              type: string
-                            name:
-                              description: Name is the entry the image will be available
-                                under 'images.' in the context. If this field
-                                is not defined, image entries will appear under 'images.custom'.
-                              type: string
-                            path:
-                              description: Path is the path to the object containing
-                                the image field in a custom resource. It should be
-                                slash-separated. Each slash-separated key must be
-                                a valid YAML key or a wildcard '*'. Wildcard keys
-                                are expanded in case of arrays or objects.
-                              type: string
-                            value:
-                              description: Value is an optional name of the field
-                                within 'path' that points to the image URI. This is
-                                useful when a custom 'key' is also defined.
-                              type: string
-                          required:
-                          - path
-                          type: object
-                        type: array
-                      description: ImageExtractors defines a mapping from kinds to
-                        ImageExtractorConfigs. This config is only valid for verifyImages
-                        rules.
-                      type: object
-                    match:
-                      description: MatchResources defines when this policy rule should
-                        be applied. The match criteria can include resource information
-                        (e.g. kind, name, namespace, labels) and admission review
-                        request information like the user name or role. At least one
-                        kind is required.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                      type: object
-                    mutate:
-                      description: Mutation is used to modify matching resources.
-                      properties:
-                        foreach:
-                          description: ForEach applies mutation rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              patchStrategicMerge:
-                                description: PatchStrategicMerge is a strategic merge
-                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                x-kubernetes-preserve-unknown-fields: true
-                              patchesJson6902:
-                                description: PatchesJSON6902 is a list of RFC 6902
-                                  JSON Patch declarations used to modify resources.
-                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                type: string
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        patchStrategicMerge:
-                          description: PatchStrategicMerge is a strategic merge patch
-                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                          x-kubernetes-preserve-unknown-fields: true
-                        patchesJson6902:
-                          description: PatchesJSON6902 is a list of RFC 6902 JSON
-                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                          type: string
-                        targets:
-                          description: Targets defines the target resources to be
-                            mutated.
-                          items:
-                            properties:
-                              apiVersion:
-                                description: APIVersion specifies resource apiVersion.
-                                type: string
-                              kind:
-                                description: Kind specifies resource kind.
-                                type: string
-                              name:
-                                description: Name specifies the resource name.
-                                type: string
-                              namespace:
-                                description: Namespace specifies resource namespace.
-                                type: string
-                            type: object
-                          type: array
-                      type: object
-                    name:
-                      description: Name is a label to identify the rule, It must be
-                        unique within the policy.
-                      maxLength: 63
-                      type: string
-                    preconditions:
-                      description: 'Preconditions are used to determine if a policy
-                        rule should be applied by evaluating a set of conditions.
-                        The declaration can contain nested `any` or `all` statements.
-                        A direct list of conditions (without `any` or `all` statements
-                        is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/'
-                      properties:
-                        all:
-                          description: AllConditions enable variable-based conditional
-                            rule execution. This is useful for finer control of when
-                            an rule is applied. A condition can reference object data
-                            using JMESPath notation. Here, all of the conditions need
-                            to pass.
-                          items:
-                            properties:
-                              key:
-                                description: Key is the context entry (using JMESPath)
-                                  for conditional rule evaluation.
-                                x-kubernetes-preserve-unknown-fields: true
-                              operator:
-                                description: 'Operator is the conditional operation
-                                  to perform. Valid operators are: Equals, NotEquals,
-                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                                enum:
-                                - Equals
-                                - NotEquals
-                                - AnyIn
-                                - AllIn
-                                - AnyNotIn
-                                - AllNotIn
-                                - GreaterThanOrEquals
-                                - GreaterThan
-                                - LessThanOrEquals
-                                - LessThan
-                                - DurationGreaterThanOrEquals
-                                - DurationGreaterThan
-                                - DurationLessThanOrEquals
-                                - DurationLessThan
-                                type: string
-                              value:
-                                description: Value is the conditional value, or set
-                                  of values. The values can be fixed set or can be
-                                  variables declared using JMESPath.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        any:
-                          description: AnyConditions enable variable-based conditional
-                            rule execution. This is useful for finer control of when
-                            an rule is applied. A condition can reference object data
-                            using JMESPath notation. Here, at least one of the conditions
-                            need to pass.
-                          items:
-                            properties:
-                              key:
-                                description: Key is the context entry (using JMESPath)
-                                  for conditional rule evaluation.
-                                x-kubernetes-preserve-unknown-fields: true
-                              operator:
-                                description: 'Operator is the conditional operation
-                                  to perform. Valid operators are: Equals, NotEquals,
-                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                                enum:
-                                - Equals
-                                - NotEquals
-                                - AnyIn
-                                - AllIn
-                                - AnyNotIn
-                                - AllNotIn
-                                - GreaterThanOrEquals
-                                - GreaterThan
-                                - LessThanOrEquals
-                                - LessThan
-                                - DurationGreaterThanOrEquals
-                                - DurationGreaterThan
-                                - DurationLessThanOrEquals
-                                - DurationLessThan
-                                type: string
-                              value:
-                                description: Value is the conditional value, or set
-                                  of values. The values can be fixed set or can be
-                                  variables declared using JMESPath.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                      type: object
-                    validate:
-                      description: Validation is used to validate matching resources.
-                      properties:
-                        anyPattern:
-                          description: AnyPattern specifies list of validation patterns.
-                            At least one of the patterns must be satisfied for the
-                            validation rule to succeed.
-                          x-kubernetes-preserve-unknown-fields: true
-                        deny:
-                          description: Deny defines conditions used to pass or fail
-                            a validation rule.
-                          properties:
-                            conditions:
-                              description: 'Multiple conditions can be declared under
-                                an `any` or `all` statement. A direct list of conditions
-                                (without `any` or `all` statements) is also supported
-                                for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                              properties:
-                                all:
-                                  description: AllConditions enable variable-based
-                                    conditional rule execution. This is useful for
-                                    finer control of when an rule is applied. A condition
-                                    can reference object data using JMESPath notation.
-                                    Here, all of the conditions need to pass.
-                                  items:
-                                    properties:
-                                      key:
-                                        description: Key is the context entry (using
-                                          JMESPath) for conditional rule evaluation.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      operator:
-                                        description: 'Operator is the conditional
-                                          operation to perform. Valid operators are:
-                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
-                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                          GreaterThan, LessThanOrEquals, LessThan,
-                                          DurationGreaterThanOrEquals, DurationGreaterThan,
-                                          DurationLessThanOrEquals, DurationLessThan'
-                                        enum:
-                                        - Equals
-                                        - NotEquals
-                                        - AnyIn
-                                        - AllIn
-                                        - AnyNotIn
-                                        - AllNotIn
-                                        - GreaterThanOrEquals
-                                        - GreaterThan
-                                        - LessThanOrEquals
-                                        - LessThan
-                                        - DurationGreaterThanOrEquals
-                                        - DurationGreaterThan
-                                        - DurationLessThanOrEquals
-                                        - DurationLessThan
-                                        type: string
-                                      value:
-                                        description: Value is the conditional value,
-                                          or set of values. The values can be fixed
-                                          set or can be variables declared using JMESPath.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  type: array
-                                any:
-                                  description: AnyConditions enable variable-based
-                                    conditional rule execution. This is useful for
-                                    finer control of when an rule is applied. A condition
-                                    can reference object data using JMESPath notation.
-                                    Here, at least one of the conditions need to pass.
-                                  items:
-                                    properties:
-                                      key:
-                                        description: Key is the context entry (using
-                                          JMESPath) for conditional rule evaluation.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      operator:
-                                        description: 'Operator is the conditional
-                                          operation to perform. Valid operators are:
-                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
-                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                          GreaterThan, LessThanOrEquals, LessThan,
-                                          DurationGreaterThanOrEquals, DurationGreaterThan,
-                                          DurationLessThanOrEquals, DurationLessThan'
-                                        enum:
-                                        - Equals
-                                        - NotEquals
-                                        - AnyIn
-                                        - AllIn
-                                        - AnyNotIn
-                                        - AllNotIn
-                                        - GreaterThanOrEquals
-                                        - GreaterThan
-                                        - LessThanOrEquals
-                                        - LessThan
-                                        - DurationGreaterThanOrEquals
-                                        - DurationGreaterThan
-                                        - DurationLessThanOrEquals
-                                        - DurationLessThan
-                                        type: string
-                                      value:
-                                        description: Value is the conditional value,
-                                          or set of values. The values can be fixed
-                                          set or can be variables declared using JMESPath.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  type: array
-                              type: object
-                          type: object
-                        foreach:
-                          description: ForEach applies validate rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              anyPattern:
-                                description: AnyPattern specifies list of validation
-                                  patterns. At least one of the patterns must be satisfied
-                                  for the validation rule to succeed.
-                                x-kubernetes-preserve-unknown-fields: true
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              deny:
-                                description: Deny defines conditions used to pass
-                                  or fail a validation rule.
-                                properties:
-                                  conditions:
-                                    description: 'Multiple conditions can be declared
-                                      under an `any` or `all` statement. A direct
-                                      list of conditions (without `any` or `all` statements)
-                                      is also supported for backwards compatibility
-                                      but will be deprecated in the next major release.
-                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              elementScope:
-                                description: ElementScope specifies whether to use
-                                  the current list element as the scope for validation.
-                                  Defaults to "true" if not specified. When set to
-                                  "false", "request.object" is used as the validation
-                                  scope within the foreach block to allow referencing
-                                  other elements in the subtree.
-                                type: boolean
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              pattern:
-                                description: Pattern specifies an overlay-style pattern
-                                  used to check resources.
-                                x-kubernetes-preserve-unknown-fields: true
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        manifests:
-                          description: Manifest specifies conditions for manifest
-                            verification
-                          properties:
-                            annotationDomain:
-                              description: AnnotationDomain is custom domain of annotation
-                                for message and signature. Default is "cosign.sigstore.dev".
-                              type: string
-                            attestors:
-                              description: Attestors specified the required attestors
-                                (i.e. authorities)
-                              items:
-                                properties:
-                                  count:
-                                    description: Count specifies the required number
-                                      of entries that must match. If the count is
-                                      null, all entries must match (a logical AND).
-                                      If the count is 1, at least one entry must match
-                                      (a logical OR). If the count contains a value
-                                      N, then N must be less than or equal to the
-                                      size of entries, and at least N entries must
-                                      match.
-                                    minimum: 1
-                                    type: integer
-                                  entries:
-                                    description: Entries contains the available attestors.
-                                      An attestor can be a static key, attributes
-                                      for keyless verification, or a nested attestor
-                                      declaration.
-                                    items:
-                                      properties:
-                                        annotations:
-                                          additionalProperties:
-                                            type: string
-                                          description: Annotations are used for image
-                                            verification. Every specified key-value
-                                            pair must exist and match in the verified
-                                            payload. The payload may contain other
-                                            key-value pairs.
-                                          type: object
-                                        attestor:
-                                          description: Attestor is a nested AttestorSet
-                                            used to specify a more complex set of
-                                            match authorities
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        certificates:
-                                          description: Certificates specifies one
-                                            or more certificates
-                                          properties:
-                                            cert:
-                                              description: Certificate is an optional
-                                                PEM encoded public certificate.
-                                              type: string
-                                            certChain:
-                                              description: CertificateChain is an
-                                                optional PEM encoded set of certificates
-                                                used to verify
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                          type: object
-                                        keyless:
-                                          description: Keyless is a set of attribute
-                                            used to verify a Sigstore keyless attestor.
-                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                          properties:
-                                            additionalExtensions:
-                                              additionalProperties:
-                                                type: string
-                                              description: AdditionalExtensions are
-                                                certificate-extensions used for keyless
-                                                signing.
-                                              type: object
-                                            issuer:
-                                              description: Issuer is the certificate
-                                                issuer used for keyless signing.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked and a root certificate chain
-                                                is expected instead. If an empty object
-                                                is provided the public instance of
-                                                Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            roots:
-                                              description: Roots is an optional set
-                                                of PEM encoded trusted root certificates.
-                                                If not provided, the system roots
-                                                are used.
-                                              type: string
-                                            subject:
-                                              description: Subject is the verified
-                                                identity used for keyless signing,
-                                                for example the email address
-                                              type: string
-                                          type: object
-                                        keys:
-                                          description: Keys specifies one or more
-                                            public keys
-                                          properties:
-                                            kms:
-                                              description: 'KMS provides the URI to
-                                                the public key stored in a Key Management
-                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                              type: string
-                                            publicKeys:
-                                              description: Keys is a set of X.509
-                                                public keys used to verify image signatures.
-                                                The keys can be directly specified
-                                                or can be a variable reference to
-                                                a key specified in a ConfigMap (see
-                                                https://kyverno.io/docs/writing-policies/variables/),
-                                                or reference a standard Kubernetes
-                                                Secret elsewhere in the cluster by
-                                                specifying it in the format "k8s:///".
-                                                The named Secret must specify a key
-                                                `cosign.pub` containing the public
-                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                When multiple keys are specified each
-                                                key is processed as a separate staticKey
-                                                entry (.attestors[*].entries.keys)
-                                                within the set of attestors and the
-                                                count is applied across the keys.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            secret:
-                                              description: Reference to a Secret resource
-                                                that contains a public key
-                                              properties:
-                                                name:
-                                                  description: Name of the secret.
-                                                    The provided secret must contain
-                                                    a key named cosign.pub.
-                                                  type: string
-                                                namespace:
-                                                  description: Namespace name where
-                                                    the Secret exists.
-                                                  type: string
-                                              required:
-                                              - name
-                                              - namespace
-                                              type: object
-                                            signatureAlgorithm:
-                                              default: sha256
-                                              description: Specify signature algorithm
-                                                for public keys. Supported values
-                                                are sha256 and sha512
-                                              type: string
-                                          type: object
-                                        repository:
-                                          description: Repository is an optional alternate
-                                            OCI repository to use for signatures and
-                                            attestations that match this rule. If
-                                            specified Repository will override other
-                                            OCI image repository locations for this
-                                            Attestor.
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            dryRun:
-                              description: DryRun configuration
-                              properties:
-                                enable:
-                                  type: boolean
-                                namespace:
-                                  type: string
-                              type: object
-                            ignoreFields:
-                              description: Fields which will be ignored while comparing
-                                manifests.
-                              items:
-                                properties:
-                                  fields:
-                                    items:
-                                      type: string
-                                    type: array
-                                  objects:
-                                    items:
-                                      properties:
-                                        group:
-                                          type: string
-                                        kind:
-                                          type: string
-                                        name:
-                                          type: string
-                                        namespace:
-                                          type: string
-                                        version:
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            repository:
-                              description: Repository is an optional alternate OCI
-                                repository to use for resource bundle reference. The
-                                repository can be overridden per Attestor or Attestation.
-                              type: string
-                          type: object
-                        message:
-                          description: Message specifies a custom message to be displayed
-                            on failure.
-                          type: string
-                        pattern:
-                          description: Pattern specifies an overlay-style pattern
-                            used to check resources.
-                          x-kubernetes-preserve-unknown-fields: true
-                        podSecurity:
-                          description: PodSecurity applies exemptions for Kubernetes
-                            Pod Security admission by specifying exclusions for Pod
-                            Security Standards controls.
-                          properties:
-                            exclude:
-                              description: Exclude specifies the Pod Security Standard
-                                controls to be excluded.
-                              items:
-                                description: PodSecurityStandard specifies the Pod
-                                  Security Standard controls to be excluded.
-                                properties:
-                                  controlName:
-                                    description: 'ControlName specifies the name of
-                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                    enum:
-                                    - HostProcess
-                                    - Host Namespaces
-                                    - Privileged Containers
-                                    - Capabilities
-                                    - HostPath Volumes
-                                    - Host Ports
-                                    - AppArmor
-                                    - SELinux
-                                    - /proc Mount Type
-                                    - Seccomp
-                                    - Sysctls
-                                    - Volume Types
-                                    - Privilege Escalation
-                                    - Running as Non-root
-                                    - Running as Non-root user
-                                    type: string
-                                  images:
-                                    description: 'Images selects matching containers
-                                      and applies the container level PSS. Each image
-                                      is the image name consisting of the registry
-                                      address, repository, image, and tag. Empty list
-                                      matches no containers, PSS checks are applied
-                                      at the pod level only. Wildcards (''*'' and
-                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - controlName
-                                type: object
-                              type: array
-                            level:
-                              description: Level defines the Pod Security Standard
-                                level to be applied to workloads. Allowed values are
-                                privileged, baseline, and restricted.
-                              enum:
-                              - privileged
-                              - baseline
-                              - restricted
-                              type: string
-                            version:
-                              description: Version defines the Pod Security Standard
-                                versions that Kubernetes supports. Allowed values
-                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
-                              enum:
-                              - v1.19
-                              - v1.20
-                              - v1.21
-                              - v1.22
-                              - v1.23
-                              - v1.24
-                              - v1.25
-                              - latest
-                              type: string
-                          type: object
-                      type: object
-                    verifyImages:
-                      description: VerifyImages is used to verify image signatures
-                        and mutate them to add a digest
-                      items:
-                        description: ImageVerification validates that images that
-                          match the specified pattern are signed with the supplied
-                          public key. Once the image is verified it is mutated to
-                          include the SHA digest retrieved during the registration.
-                        properties:
-                          attestations:
-                            description: Attestations are optional checks for signed
-                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
-                              Kyverno fetches signed attestations from the OCI registry
-                              and decodes them into a list of Statement declarations.
-                            items:
-                              description: Attestation are checks for signed in-toto
-                                Statements that are used to verify the image. See
-                                https://github.com/in-toto/attestation. Kyverno fetches
-                                signed attestations from the OCI registry and decodes
-                                them into a list of Statements.
-                              properties:
-                                attestors:
-                                  description: Attestors specify the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                conditions:
-                                  description: Conditions are used to verify attributes
-                                    within a Predicate. If no Conditions are specified
-                                    the attestation check is satisfied as long there
-                                    are predicates that match the predicate type.
-                                  items:
-                                    description: AnyAllConditions consists of conditions
-                                      wrapped denoting a logical criteria to be fulfilled.
-                                      AnyConditions get fulfilled when at least one
-                                      of its sub-conditions passes. AllConditions
-                                      get fulfilled only when all of its sub-conditions
-                                      pass.
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                predicateType:
-                                  description: PredicateType defines the type of Predicate
-                                    contained within the Statement.
-                                  type: string
-                              required:
-                              - predicateType
-                              type: object
-                            type: array
-                          attestors:
-                            description: Attestors specified the required attestors
-                              (i.e. authorities)
-                            items:
-                              properties:
-                                count:
-                                  description: Count specifies the required number
-                                    of entries that must match. If the count is null,
-                                    all entries must match (a logical AND). If the
-                                    count is 1, at least one entry must match (a logical
-                                    OR). If the count contains a value N, then N must
-                                    be less than or equal to the size of entries,
-                                    and at least N entries must match.
-                                  minimum: 1
-                                  type: integer
-                                entries:
-                                  description: Entries contains the available attestors.
-                                    An attestor can be a static key, attributes for
-                                    keyless verification, or a nested attestor declaration.
-                                  items:
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations are used for image
-                                          verification. Every specified key-value
-                                          pair must exist and match in the verified
-                                          payload. The payload may contain other key-value
-                                          pairs.
-                                        type: object
-                                      attestor:
-                                        description: Attestor is a nested AttestorSet
-                                          used to specify a more complex set of match
-                                          authorities
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      certificates:
-                                        description: Certificates specifies one or
-                                          more certificates
-                                        properties:
-                                          cert:
-                                            description: Certificate is an optional
-                                              PEM encoded public certificate.
-                                            type: string
-                                          certChain:
-                                            description: CertificateChain is an optional
-                                              PEM encoded set of certificates used
-                                              to verify
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                        type: object
-                                      keyless:
-                                        description: Keyless is a set of attribute
-                                          used to verify a Sigstore keyless attestor.
-                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                        properties:
-                                          additionalExtensions:
-                                            additionalProperties:
-                                              type: string
-                                            description: AdditionalExtensions are
-                                              certificate-extensions used for keyless
-                                              signing.
-                                            type: object
-                                          issuer:
-                                            description: Issuer is the certificate
-                                              issuer used for keyless signing.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked
-                                              and a root certificate chain is expected
-                                              instead. If an empty object is provided
-                                              the public instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          roots:
-                                            description: Roots is an optional set
-                                              of PEM encoded trusted root certificates.
-                                              If not provided, the system roots are
-                                              used.
-                                            type: string
-                                          subject:
-                                            description: Subject is the verified identity
-                                              used for keyless signing, for example
-                                              the email address
-                                            type: string
-                                        type: object
-                                      keys:
-                                        description: Keys specifies one or more public
-                                          keys
-                                        properties:
-                                          kms:
-                                            description: 'KMS provides the URI to
-                                              the public key stored in a Key Management
-                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                            type: string
-                                          publicKeys:
-                                            description: Keys is a set of X.509 public
-                                              keys used to verify image signatures.
-                                              The keys can be directly specified or
-                                              can be a variable reference to a key
-                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                              or reference a standard Kubernetes Secret
-                                              elsewhere in the cluster by specifying
-                                              it in the format "k8s:///".
-                                              The named Secret must specify a key
-                                              `cosign.pub` containing the public key
-                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                              When multiple keys are specified each
-                                              key is processed as a separate staticKey
-                                              entry (.attestors[*].entries.keys) within
-                                              the set of attestors and the count is
-                                              applied across the keys.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          secret:
-                                            description: Reference to a Secret resource
-                                              that contains a public key
-                                            properties:
-                                              name:
-                                                description: Name of the secret. The
-                                                  provided secret must contain a key
-                                                  named cosign.pub.
-                                                type: string
-                                              namespace:
-                                                description: Namespace name where
-                                                  the Secret exists.
-                                                type: string
-                                            required:
-                                            - name
-                                            - namespace
-                                            type: object
-                                          signatureAlgorithm:
-                                            default: sha256
-                                            description: Specify signature algorithm
-                                              for public keys. Supported values are
-                                              sha256 and sha512
-                                            type: string
-                                        type: object
-                                      repository:
-                                        description: Repository is an optional alternate
-                                          OCI repository to use for signatures and
-                                          attestations that match this rule. If specified
-                                          Repository will override other OCI image
-                                          repository locations for this Attestor.
-                                        type: string
-                                    type: object
-                                  type: array
-                              type: object
-                            type: array
-                          imageReferences:
-                            description: 'ImageReferences is a list of matching image
-                              reference patterns. At least one pattern in the list
-                              must match the image for the rule to apply. Each image
-                              reference consists of a registry address (defaults to
-                              docker.io), repository, image, and tag (defaults to
-                              latest). Wildcards (''*'' and ''?'') are allowed. See:
-                              https://kubernetes.io/docs/concepts/containers/images.'
-                            items:
-                              type: string
-                            type: array
-                          mutateDigest:
-                            default: true
-                            description: MutateDigest enables replacement of image
-                              tags with digests. Defaults to true.
-                            type: boolean
-                          repository:
-                            description: Repository is an optional alternate OCI repository
-                              to use for image signatures and attestations that match
-                              this rule. If specified Repository will override the
-                              default OCI image repository configured for the installation.
-                              The repository can also be overridden per Attestor or
-                              Attestation.
-                            type: string
-                          required:
-                            default: true
-                            description: Required validates that images are verified
-                              i.e. have matched passed a signature or attestation
-                              check.
-                            type: boolean
-                          verifyDigest:
-                            default: true
-                            description: VerifyDigest validates that images have a
-                              digest.
-                            type: boolean
-                        type: object
-                      type: array
-                  type: object
-                type: array
-              schemaValidation:
-                description: SchemaValidation skips validation checks for policies
-                  as well as patched resources. Optional. The default value is set
-                  to "true", it must be set to "false" to disable the validation checks.
-                type: boolean
-              validationFailureAction:
-                default: Audit
-                description: ValidationFailureAction defines if a validation policy
-                  rule violation should block the admission review request (enforce),
-                  or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. Allowed values are audit or enforce.
-                  The default value is "Audit".
-                enum:
-                - audit
-                - enforce
-                - Audit
-                - Enforce
-                type: string
-              validationFailureActionOverrides:
-                description: ValidationFailureActionOverrides is a Cluster Policy
-                  attribute that specifies ValidationFailureAction namespace-wise.
-                  It overrides ValidationFailureAction for the specified namespaces.
-                items:
-                  properties:
-                    action:
-                      description: ValidationFailureAction defines the policy validation
-                        failure action
-                      enum:
-                      - audit
-                      - enforce
-                      - Audit
-                      - Enforce
-                      type: string
-                    namespaceSelector:
-                      description: A label selector is a label query over a set of
-                        resources. The result of matchLabels and matchExpressions
-                        are ANDed. An empty label selector matches all objects. A
-                        null label selector matches no objects.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    namespaces:
-                      items:
-                        type: string
-                      type: array
-                  type: object
-                type: array
-              webhookTimeoutSeconds:
-                description: WebhookTimeoutSeconds specifies the maximum time in seconds
-                  allowed to apply this policy. After the configured time expires,
-                  the admission request may fail, or may simply ignore the policy
-                  results, based on the failure policy. The default timeout is 10s,
-                  the value must be between 1 and 30 seconds.
-                format: int32
-                type: integer
-            type: object
-          status:
-            description: Status contains policy runtime data.
-            properties:
-              autogen:
-                description: Autogen contains autogen status information
-                properties:
-                  rules:
-                    description: Rules is a list of Rule instances. It contains auto
-                      generated rules added for pod controllers
-                    items:
-                      description: Rule defines a validation, mutation, or generation
-                        control for matching resources. Each rules contains a match
-                        declaration to select resources, and an optional exclude declaration
-                        to specify which resources to exclude.
-                      properties:
-                        context:
-                          description: Context defines variables and data sources
-                            that can be used during rule execution.
-                          items:
-                            description: ContextEntry adds variables and data sources
-                              to a rule Context. Either a ConfigMap reference or a
-                              APILookup must be provided.
-                            properties:
-                              apiCall:
-                                description: APICall is an HTTP request to the Kubernetes
-                                  API server, or other JSON web service. The data
-                                  returned is stored in the context with the name
-                                  for the context entry.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      JSON response returned from the server. For
-                                      example a JMESPath of "items | length(@)" applied
-                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
-                                      will return the total count of deployments across
-                                      all namespaces.
-                                    type: string
-                                  service:
-                                    description: Service is an API call to a JSON
-                                      web service
-                                    properties:
-                                      caBundle:
-                                        description: CABundle is a PEM encoded CA
-                                          bundle which will be used to validate the
-                                          server certificate.
-                                        type: string
-                                      data:
-                                        description: Data specifies the POST data
-                                          sent to the server.
-                                        items:
-                                          description: RequestData contains the HTTP
-                                            POST data
-                                          properties:
-                                            key:
-                                              description: Key is a unique identifier
-                                                for the data value
-                                              type: string
-                                            value:
-                                              description: Value is the data value
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          required:
-                                          - key
-                                          - value
-                                          type: object
-                                        type: array
-                                      requestType:
-                                        default: GET
-                                        description: Method is the HTTP request type
-                                          (GET or POST).
-                                        enum:
-                                        - GET
-                                        - POST
-                                        type: string
-                                      urlPath:
-                                        description: URL is the JSON web service URL.
-                                          The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                        type: string
-                                    required:
-                                    - requestType
-                                    - urlPath
-                                    type: object
-                                  urlPath:
-                                    description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                      The format required is the same format used
-                                      by the `kubectl get --raw` command.
-                                    type: string
-                                type: object
-                              configMap:
-                                description: ConfigMap is the ConfigMap reference.
-                                properties:
-                                  name:
-                                    description: Name is the ConfigMap name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace is the ConfigMap namespace.
-                                    type: string
-                                required:
-                                - name
-                                type: object
-                              imageRegistry:
-                                description: ImageRegistry defines requests to an
-                                  OCI/Docker V2 registry to fetch image details.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      ImageData struct returned as a result of processing
-                                      the image reference.
-                                    type: string
-                                  reference:
-                                    description: 'Reference is image reference to
-                                      a container image in the registry. Example:
-                                      ghcr.io/kyverno/kyverno:latest'
-                                    type: string
-                                required:
-                                - reference
-                                type: object
-                              name:
-                                description: Name is the variable name.
-                                type: string
-                              variable:
-                                description: Variable defines an arbitrary JMESPath
-                                  context variable that can be defined inline.
-                                properties:
-                                  default:
-                                    description: Default is an optional arbitrary
-                                      JSON object that the variable may take if the
-                                      JMESPath expression evaluates to nil
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  jmesPath:
-                                    description: JMESPath is an optional JMESPath
-                                      Expression that can be used to transform the
-                                      variable.
-                                    type: string
-                                  value:
-                                    description: Value is any arbitrary JSON object
-                                      representable in YAML or JSON form.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                            type: object
-                          type: array
-                        exclude:
-                          description: ExcludeResources defines when this policy rule
-                            should not be applied. The exclude criteria can include
-                            resource information (e.g. kind, name, namespace, labels)
-                            and admission review request information like the name
-                            or role.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        generate:
-                          description: Generation is used to create new resources.
-                          properties:
-                            apiVersion:
-                              description: APIVersion specifies resource apiVersion.
-                              type: string
-                            clone:
-                              description: Clone specifies the source resource used
-                                to populate each generated resource. At most one of
-                                Data or Clone can be specified. If neither are provided,
-                                the generated resource will be created with default
-                                data only.
-                              properties:
-                                name:
-                                  description: Name specifies name of the resource.
-                                  type: string
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                              type: object
-                            cloneList:
-                              description: CloneList specifies the list of source
-                                resource used to populate each generated resource.
-                              properties:
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                                selector:
-                                  description: Selector is a label selector. Label
-                                    keys and values in `matchLabels`. wildcard characters
-                                    are not supported.
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            data:
-                              description: Data provides the resource declaration
-                                used to populate each generated resource. At most
-                                one of Data or Clone must be specified. If neither
-                                are provided, the generated resource will be created
-                                with default data only.
-                              x-kubernetes-preserve-unknown-fields: true
-                            kind:
-                              description: Kind specifies resource kind.
-                              type: string
-                            name:
-                              description: Name specifies the resource name.
-                              type: string
-                            namespace:
-                              description: Namespace specifies resource namespace.
-                              type: string
-                            synchronize:
-                              description: Synchronize controls if generated resources
-                                should be kept in-sync with their source resource.
-                                If Synchronize is set to "true" changes to generated
-                                resources will be overwritten with resource data from
-                                Data or the resource specified in the Clone declaration.
-                                Optional. Defaults to "false" if not specified.
-                              type: boolean
-                          type: object
-                        imageExtractors:
-                          additionalProperties:
-                            items:
-                              properties:
-                                key:
-                                  description: Key is an optional name of the field
-                                    within 'path' that will be used to uniquely identify
-                                    an image. Note - this field MUST be unique.
-                                  type: string
-                                name:
-                                  description: Name is the entry the image will be
-                                    available under 'images.' in the context.
-                                    If this field is not defined, image entries will
-                                    appear under 'images.custom'.
-                                  type: string
-                                path:
-                                  description: Path is the path to the object containing
-                                    the image field in a custom resource. It should
-                                    be slash-separated. Each slash-separated key must
-                                    be a valid YAML key or a wildcard '*'. Wildcard
-                                    keys are expanded in case of arrays or objects.
-                                  type: string
-                                value:
-                                  description: Value is an optional name of the field
-                                    within 'path' that points to the image URI. This
-                                    is useful when a custom 'key' is also defined.
-                                  type: string
-                              required:
-                              - path
-                              type: object
-                            type: array
-                          description: ImageExtractors defines a mapping from kinds
-                            to ImageExtractorConfigs. This config is only valid for
-                            verifyImages rules.
-                          type: object
-                        match:
-                          description: MatchResources defines when this policy rule
-                            should be applied. The match criteria can include resource
-                            information (e.g. kind, name, namespace, labels) and admission
-                            review request information like the user name or role.
-                            At least one kind is required.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        mutate:
-                          description: Mutation is used to modify matching resources.
-                          properties:
-                            foreach:
-                              description: ForEach applies mutation rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  patchStrategicMerge:
-                                    description: PatchStrategicMerge is a strategic
-                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  patchesJson6902:
-                                    description: PatchesJSON6902 is a list of RFC
-                                      6902 JSON Patch declarations used to modify
-                                      resources. See https://tools.ietf.org/html/rfc6902
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                    type: string
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            patchStrategicMerge:
-                              description: PatchStrategicMerge is a strategic merge
-                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                              x-kubernetes-preserve-unknown-fields: true
-                            patchesJson6902:
-                              description: PatchesJSON6902 is a list of RFC 6902 JSON
-                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                              type: string
-                            targets:
-                              description: Targets defines the target resources to
-                                be mutated.
-                              items:
-                                properties:
-                                  apiVersion:
-                                    description: APIVersion specifies resource apiVersion.
-                                    type: string
-                                  kind:
-                                    description: Kind specifies resource kind.
-                                    type: string
-                                  name:
-                                    description: Name specifies the resource name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace specifies resource namespace.
-                                    type: string
-                                type: object
-                              type: array
-                          type: object
-                        name:
-                          description: Name is a label to identify the rule, It must
-                            be unique within the policy.
-                          maxLength: 63
-                          type: string
-                        preconditions:
-                          description: 'Preconditions are used to determine if a policy
-                            rule should be applied by evaluating a set of conditions.
-                            The declaration can contain nested `any` or `all` statements.
-                            A direct list of conditions (without `any` or `all` statements
-                            is supported for backwards compatibility but will be deprecated
-                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                          x-kubernetes-preserve-unknown-fields: true
-                        validate:
-                          description: Validation is used to validate matching resources.
-                          properties:
-                            anyPattern:
-                              description: AnyPattern specifies list of validation
-                                patterns. At least one of the patterns must be satisfied
-                                for the validation rule to succeed.
-                              x-kubernetes-preserve-unknown-fields: true
-                            deny:
-                              description: Deny defines conditions used to pass or
-                                fail a validation rule.
-                              properties:
-                                conditions:
-                                  description: 'Multiple conditions can be declared
-                                    under an `any` or `all` statement. A direct list
-                                    of conditions (without `any` or `all` statements)
-                                    is also supported for backwards compatibility
-                                    but will be deprecated in the next major release.
-                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                  x-kubernetes-preserve-unknown-fields: true
-                              type: object
-                            foreach:
-                              description: ForEach applies validate rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  anyPattern:
-                                    description: AnyPattern specifies list of validation
-                                      patterns. At least one of the patterns must
-                                      be satisfied for the validation rule to succeed.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  deny:
-                                    description: Deny defines conditions used to pass
-                                      or fail a validation rule.
-                                    properties:
-                                      conditions:
-                                        description: 'Multiple conditions can be declared
-                                          under an `any` or `all` statement. A direct
-                                          list of conditions (without `any` or `all`
-                                          statements) is also supported for backwards
-                                          compatibility but will be deprecated in
-                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  elementScope:
-                                    description: ElementScope specifies whether to
-                                      use the current list element as the scope for
-                                      validation. Defaults to "true" if not specified.
-                                      When set to "false", "request.object" is used
-                                      as the validation scope within the foreach block
-                                      to allow referencing other elements in the subtree.
-                                    type: boolean
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  pattern:
-                                    description: Pattern specifies an overlay-style
-                                      pattern used to check resources.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            manifests:
-                              description: Manifest specifies conditions for manifest
-                                verification
-                              properties:
-                                annotationDomain:
-                                  description: AnnotationDomain is custom domain of
-                                    annotation for message and signature. Default
-                                    is "cosign.sigstore.dev".
-                                  type: string
-                                attestors:
-                                  description: Attestors specified the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                dryRun:
-                                  description: DryRun configuration
-                                  properties:
-                                    enable:
-                                      type: boolean
-                                    namespace:
-                                      type: string
-                                  type: object
-                                ignoreFields:
-                                  description: Fields which will be ignored while
-                                    comparing manifests.
-                                  items:
-                                    properties:
-                                      fields:
-                                        items:
-                                          type: string
-                                        type: array
-                                      objects:
-                                        items:
-                                          properties:
-                                            group:
-                                              type: string
-                                            kind:
-                                              type: string
-                                            name:
-                                              type: string
-                                            namespace:
-                                              type: string
-                                            version:
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                repository:
-                                  description: Repository is an optional alternate
-                                    OCI repository to use for resource bundle reference.
-                                    The repository can be overridden per Attestor
-                                    or Attestation.
-                                  type: string
-                              type: object
-                            message:
-                              description: Message specifies a custom message to be
-                                displayed on failure.
-                              type: string
-                            pattern:
-                              description: Pattern specifies an overlay-style pattern
-                                used to check resources.
-                              x-kubernetes-preserve-unknown-fields: true
-                            podSecurity:
-                              description: PodSecurity applies exemptions for Kubernetes
-                                Pod Security admission by specifying exclusions for
-                                Pod Security Standards controls.
-                              properties:
-                                exclude:
-                                  description: Exclude specifies the Pod Security
-                                    Standard controls to be excluded.
-                                  items:
-                                    description: PodSecurityStandard specifies the
-                                      Pod Security Standard controls to be excluded.
-                                    properties:
-                                      controlName:
-                                        description: 'ControlName specifies the name
-                                          of the Pod Security Standard control. See:
-                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                        enum:
-                                        - HostProcess
-                                        - Host Namespaces
-                                        - Privileged Containers
-                                        - Capabilities
-                                        - HostPath Volumes
-                                        - Host Ports
-                                        - AppArmor
-                                        - SELinux
-                                        - /proc Mount Type
-                                        - Seccomp
-                                        - Sysctls
-                                        - Volume Types
-                                        - Privilege Escalation
-                                        - Running as Non-root
-                                        - Running as Non-root user
-                                        type: string
-                                      images:
-                                        description: 'Images selects matching containers
-                                          and applies the container level PSS. Each
-                                          image is the image name consisting of the
-                                          registry address, repository, image, and
-                                          tag. Empty list matches no containers, PSS
-                                          checks are applied at the pod level only.
-                                          Wildcards (''*'' and ''?'') are allowed.
-                                          See: https://kubernetes.io/docs/concepts/containers/images.'
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - controlName
-                                    type: object
-                                  type: array
-                                level:
-                                  description: Level defines the Pod Security Standard
-                                    level to be applied to workloads. Allowed values
-                                    are privileged, baseline, and restricted.
-                                  enum:
-                                  - privileged
-                                  - baseline
-                                  - restricted
-                                  type: string
-                                version:
-                                  description: Version defines the Pod Security Standard
-                                    versions that Kubernetes supports. Allowed values
-                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
-                                  enum:
-                                  - v1.19
-                                  - v1.20
-                                  - v1.21
-                                  - v1.22
-                                  - v1.23
-                                  - v1.24
-                                  - v1.25
-                                  - latest
-                                  type: string
-                              type: object
-                          type: object
-                        verifyImages:
-                          description: VerifyImages is used to verify image signatures
-                            and mutate them to add a digest
-                          items:
-                            description: ImageVerification validates that images that
-                              match the specified pattern are signed with the supplied
-                              public key. Once the image is verified it is mutated
-                              to include the SHA digest retrieved during the registration.
-                            properties:
-                              additionalExtensions:
-                                additionalProperties:
-                                  type: string
-                                description: AdditionalExtensions are certificate-extensions
-                                  used for keyless signing. Deprecated.
-                                type: object
-                              annotations:
-                                additionalProperties:
-                                  type: string
-                                description: Annotations are used for image verification.
-                                  Every specified key-value pair must exist and match
-                                  in the verified payload. The payload may contain
-                                  other key-value pairs. Deprecated. Use annotations
-                                  per Attestor instead.
-                                type: object
-                              attestations:
-                                description: Attestations are optional checks for
-                                  signed in-toto Statements used to verify the image.
-                                  See https://github.com/in-toto/attestation. Kyverno
-                                  fetches signed attestations from the OCI registry
-                                  and decodes them into a list of Statement declarations.
-                                items:
-                                  description: Attestation are checks for signed in-toto
-                                    Statements that are used to verify the image.
-                                    See https://github.com/in-toto/attestation. Kyverno
-                                    fetches signed attestations from the OCI registry
-                                    and decodes them into a list of Statements.
-                                  properties:
-                                    attestors:
-                                      description: Attestors specify the required
-                                        attestors (i.e. authorities)
-                                      items:
-                                        properties:
-                                          count:
-                                            description: Count specifies the required
-                                              number of entries that must match. If
-                                              the count is null, all entries must
-                                              match (a logical AND). If the count
-                                              is 1, at least one entry must match
-                                              (a logical OR). If the count contains
-                                              a value N, then N must be less than
-                                              or equal to the size of entries, and
-                                              at least N entries must match.
-                                            minimum: 1
-                                            type: integer
-                                          entries:
-                                            description: Entries contains the available
-                                              attestors. An attestor can be a static
-                                              key, attributes for keyless verification,
-                                              or a nested attestor declaration.
-                                            items:
-                                              properties:
-                                                annotations:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: Annotations are used
-                                                    for image verification. Every
-                                                    specified key-value pair must
-                                                    exist and match in the verified
-                                                    payload. The payload may contain
-                                                    other key-value pairs.
-                                                  type: object
-                                                attestor:
-                                                  description: Attestor is a nested
-                                                    AttestorSet used to specify a
-                                                    more complex set of match authorities
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                certificates:
-                                                  description: Certificates specifies
-                                                    one or more certificates
-                                                  properties:
-                                                    cert:
-                                                      description: Certificate is
-                                                        an optional PEM encoded public
-                                                        certificate.
-                                                      type: string
-                                                    certChain:
-                                                      description: CertificateChain
-                                                        is an optional PEM encoded
-                                                        set of certificates used to
-                                                        verify
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                  type: object
-                                                keyless:
-                                                  description: Keyless is a set of
-                                                    attribute used to verify a Sigstore
-                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                                  properties:
-                                                    additionalExtensions:
-                                                      additionalProperties:
-                                                        type: string
-                                                      description: AdditionalExtensions
-                                                        are certificate-extensions
-                                                        used for keyless signing.
-                                                      type: object
-                                                    issuer:
-                                                      description: Issuer is the certificate
-                                                        issuer used for keyless signing.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked and a root
-                                                        certificate chain is expected
-                                                        instead. If an empty object
-                                                        is provided the public instance
-                                                        of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    roots:
-                                                      description: Roots is an optional
-                                                        set of PEM encoded trusted
-                                                        root certificates. If not
-                                                        provided, the system roots
-                                                        are used.
-                                                      type: string
-                                                    subject:
-                                                      description: Subject is the
-                                                        verified identity used for
-                                                        keyless signing, for example
-                                                        the email address
-                                                      type: string
-                                                  type: object
-                                                keys:
-                                                  description: Keys specifies one
-                                                    or more public keys
-                                                  properties:
-                                                    kms:
-                                                      description: 'KMS provides the
-                                                        URI to the public key stored
-                                                        in a Key Management System.
-                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                      type: string
-                                                    publicKeys:
-                                                      description: Keys is a set of
-                                                        X.509 public keys used to
-                                                        verify image signatures. The
-                                                        keys can be directly specified
-                                                        or can be a variable reference
-                                                        to a key specified in a ConfigMap
-                                                        (see https://kyverno.io/docs/writing-policies/variables/),
-                                                        or reference a standard Kubernetes
-                                                        Secret elsewhere in the cluster
-                                                        by specifying it in the format
-                                                        "k8s:///".
-                                                        The named Secret must specify
-                                                        a key `cosign.pub` containing
-                                                        the public key used for verification,
-                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                        When multiple keys are specified
-                                                        each key is processed as a
-                                                        separate staticKey entry (.attestors[*].entries.keys)
-                                                        within the set of attestors
-                                                        and the count is applied across
-                                                        the keys.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    secret:
-                                                      description: Reference to a
-                                                        Secret resource that contains
-                                                        a public key
-                                                      properties:
-                                                        name:
-                                                          description: Name of the
-                                                            secret. The provided secret
-                                                            must contain a key named
-                                                            cosign.pub.
-                                                          type: string
-                                                        namespace:
-                                                          description: Namespace name
-                                                            where the Secret exists.
-                                                          type: string
-                                                      required:
-                                                      - name
-                                                      - namespace
-                                                      type: object
-                                                    signatureAlgorithm:
-                                                      default: sha256
-                                                      description: Specify signature
-                                                        algorithm for public keys.
-                                                        Supported values are sha256
-                                                        and sha512
-                                                      type: string
-                                                  type: object
-                                                repository:
-                                                  description: Repository is an optional
-                                                    alternate OCI repository to use
-                                                    for signatures and attestations
-                                                    that match this rule. If specified
-                                                    Repository will override other
-                                                    OCI image repository locations
-                                                    for this Attestor.
-                                                  type: string
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    conditions:
-                                      description: Conditions are used to verify attributes
-                                        within a Predicate. If no Conditions are specified
-                                        the attestation check is satisfied as long
-                                        there are predicates that match the predicate
-                                        type.
-                                      items:
-                                        description: AnyAllConditions consists of
-                                          conditions wrapped denoting a logical criteria
-                                          to be fulfilled. AnyConditions get fulfilled
-                                          when at least one of its sub-conditions
-                                          passes. AllConditions get fulfilled only
-                                          when all of its sub-conditions pass.
-                                        properties:
-                                          all:
-                                            description: AllConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, all of the conditions need to
-                                              pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                          any:
-                                            description: AnyConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, at least one of the conditions
-                                              need to pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    predicateType:
-                                      description: PredicateType defines the type
-                                        of Predicate contained within the Statement.
-                                      type: string
-                                  required:
-                                  - predicateType
-                                  type: object
-                                type: array
-                              attestors:
-                                description: Attestors specified the required attestors
-                                  (i.e. authorities)
-                                items:
-                                  properties:
-                                    count:
-                                      description: Count specifies the required number
-                                        of entries that must match. If the count is
-                                        null, all entries must match (a logical AND).
-                                        If the count is 1, at least one entry must
-                                        match (a logical OR). If the count contains
-                                        a value N, then N must be less than or equal
-                                        to the size of entries, and at least N entries
-                                        must match.
-                                      minimum: 1
-                                      type: integer
-                                    entries:
-                                      description: Entries contains the available
-                                        attestors. An attestor can be a static key,
-                                        attributes for keyless verification, or a
-                                        nested attestor declaration.
-                                      items:
-                                        properties:
-                                          annotations:
-                                            additionalProperties:
-                                              type: string
-                                            description: Annotations are used for
-                                              image verification. Every specified
-                                              key-value pair must exist and match
-                                              in the verified payload. The payload
-                                              may contain other key-value pairs.
-                                            type: object
-                                          attestor:
-                                            description: Attestor is a nested AttestorSet
-                                              used to specify a more complex set of
-                                              match authorities
-                                            x-kubernetes-preserve-unknown-fields: true
-                                          certificates:
-                                            description: Certificates specifies one
-                                              or more certificates
-                                            properties:
-                                              cert:
-                                                description: Certificate is an optional
-                                                  PEM encoded public certificate.
-                                                type: string
-                                              certChain:
-                                                description: CertificateChain is an
-                                                  optional PEM encoded set of certificates
-                                                  used to verify
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                            type: object
-                                          keyless:
-                                            description: Keyless is a set of attribute
-                                              used to verify a Sigstore keyless attestor.
-                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                            properties:
-                                              additionalExtensions:
-                                                additionalProperties:
-                                                  type: string
-                                                description: AdditionalExtensions
-                                                  are certificate-extensions used
-                                                  for keyless signing.
-                                                type: object
-                                              issuer:
-                                                description: Issuer is the certificate
-                                                  issuer used for keyless signing.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked and a root certificate chain
-                                                  is expected instead. If an empty
-                                                  object is provided the public instance
-                                                  of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              roots:
-                                                description: Roots is an optional
-                                                  set of PEM encoded trusted root
-                                                  certificates. If not provided, the
-                                                  system roots are used.
-                                                type: string
-                                              subject:
-                                                description: Subject is the verified
-                                                  identity used for keyless signing,
-                                                  for example the email address
-                                                type: string
-                                            type: object
-                                          keys:
-                                            description: Keys specifies one or more
-                                              public keys
-                                            properties:
-                                              kms:
-                                                description: 'KMS provides the URI
-                                                  to the public key stored in a Key
-                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                type: string
-                                              publicKeys:
-                                                description: Keys is a set of X.509
-                                                  public keys used to verify image
-                                                  signatures. The keys can be directly
-                                                  specified or can be a variable reference
-                                                  to a key specified in a ConfigMap
-                                                  (see https://kyverno.io/docs/writing-policies/variables/),
-                                                  or reference a standard Kubernetes
-                                                  Secret elsewhere in the cluster
-                                                  by specifying it in the format "k8s:///".
-                                                  The named Secret must specify a
-                                                  key `cosign.pub` containing the
-                                                  public key used for verification,
-                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                  When multiple keys are specified
-                                                  each key is processed as a separate
-                                                  staticKey entry (.attestors[*].entries.keys)
-                                                  within the set of attestors and
-                                                  the count is applied across the
-                                                  keys.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              secret:
-                                                description: Reference to a Secret
-                                                  resource that contains a public
-                                                  key
-                                                properties:
-                                                  name:
-                                                    description: Name of the secret.
-                                                      The provided secret must contain
-                                                      a key named cosign.pub.
-                                                    type: string
-                                                  namespace:
-                                                    description: Namespace name where
-                                                      the Secret exists.
-                                                    type: string
-                                                required:
-                                                - name
-                                                - namespace
-                                                type: object
-                                              signatureAlgorithm:
-                                                default: sha256
-                                                description: Specify signature algorithm
-                                                  for public keys. Supported values
-                                                  are sha256 and sha512
-                                                type: string
-                                            type: object
-                                          repository:
-                                            description: Repository is an optional
-                                              alternate OCI repository to use for
-                                              signatures and attestations that match
-                                              this rule. If specified Repository will
-                                              override other OCI image repository
-                                              locations for this Attestor.
-                                            type: string
-                                        type: object
-                                      type: array
-                                  type: object
-                                type: array
-                              image:
-                                description: 'Image is the image name consisting of
-                                  the registry address, repository, image, and tag.
-                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-                                  Deprecated. Use ImageReferences instead.'
-                                type: string
-                              imageReferences:
-                                description: 'ImageReferences is a list of matching
-                                  image reference patterns. At least one pattern in
-                                  the list must match the image for the rule to apply.
-                                  Each image reference consists of a registry address
-                                  (defaults to docker.io), repository, image, and
-                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
-                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                items:
-                                  type: string
-                                type: array
-                              issuer:
-                                description: Issuer is the certificate issuer used
-                                  for keyless signing. Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              key:
-                                description: Key is the PEM encoded public key that
-                                  the image or attestation is signed with. Deprecated.
-                                  Use StaticKeyAttestor instead.
-                                type: string
-                              mutateDigest:
-                                default: true
-                                description: MutateDigest enables replacement of image
-                                  tags with digests. Defaults to true.
-                                type: boolean
-                              repository:
-                                description: Repository is an optional alternate OCI
-                                  repository to use for image signatures and attestations
-                                  that match this rule. If specified Repository will
-                                  override the default OCI image repository configured
-                                  for the installation. The repository can also be
-                                  overridden per Attestor or Attestation.
-                                type: string
-                              required:
-                                default: true
-                                description: Required validates that images are verified
-                                  i.e. have matched passed a signature or attestation
-                                  check.
-                                type: boolean
-                              roots:
-                                description: Roots is the PEM encoded Root certificate
-                                  chain used for keyless signing Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              subject:
-                                description: Subject is the identity used for keyless
-                                  signing, for example an email address Deprecated.
-                                  Use KeylessAttestor instead.
-                                type: string
-                              verifyDigest:
-                                default: true
-                                description: VerifyDigest validates that images have
-                                  a digest.
-                                type: boolean
-                            type: object
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              conditions:
-                description: Conditions is a list of conditions that apply to the
-                  policy
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              ready:
-                description: Ready indicates if the policy is ready to serve the admission
-                  request. Deprecated in favor of Conditions
-                type: boolean
-              rulecount:
-                description: RuleCount describes total number of rules in a policy
-                properties:
-                  generate:
-                    description: Count for generate rules in policy
-                    type: integer
-                  mutate:
-                    description: Count for mutate rules in policy
-                    type: integer
-                  validate:
-                    description: Count for validate rules in policy
-                    type: integer
-                  verifyimages:
-                    description: Count for verify image rules in policy
-                    type: integer
-                required:
-                - generate
-                - mutate
-                - validate
-                - verifyimages
-                type: object
-            required:
-            - ready
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: generaterequests.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    kind: GenerateRequest
-    listKind: GenerateRequestList
-    plural: generaterequests
-    shortNames:
-    - gr
-    singular: generaterequest
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.policy
-      name: Policy
-      type: string
-    - jsonPath: .spec.resource.kind
-      name: ResourceKind
-      type: string
-    - jsonPath: .spec.resource.name
-      name: ResourceName
-      type: string
-    - jsonPath: .spec.resource.namespace
-      name: ResourceNamespace
-      type: string
-    - jsonPath: .status.state
-      name: status
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1
-    schema:
-      openAPIV3Schema:
-        description: GenerateRequest is a request to process generate rule.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec is the information to identify the generate request.
-            properties:
-              context:
-                description: Context ...
-                properties:
-                  admissionRequestInfo:
-                    description: AdmissionRequestInfoObject stores the admission request
-                      and operation details
-                    properties:
-                      admissionRequest:
-                        type: string
-                      operation:
-                        description: Operation is the type of resource operation being
-                          checked for admission control
-                        type: string
-                    type: object
-                  userInfo:
-                    description: RequestInfo contains permission info carried in an
-                      admission request.
-                    properties:
-                      clusterRoles:
-                        description: ClusterRoles is a list of possible clusterRoles
-                          send the request.
-                        items:
-                          type: string
-                        nullable: true
-                        type: array
-                      roles:
-                        description: Roles is a list of possible role send the request.
-                        items:
-                          type: string
-                        nullable: true
-                        type: array
-                      userInfo:
-                        description: UserInfo is the userInfo carried in the admission
-                          request.
-                        properties:
-                          extra:
-                            additionalProperties:
-                              description: ExtraValue masks the value so protobuf
-                                can generate
-                              items:
-                                type: string
-                              type: array
-                            description: Any additional information provided by the
-                              authenticator.
-                            type: object
-                          groups:
-                            description: The names of groups this user is a part of.
-                            items:
-                              type: string
-                            type: array
-                          uid:
-                            description: A unique value that identifies this user
-                              across time. If this user is deleted and another user
-                              by the same name is added, they will have different
-                              UIDs.
-                            type: string
-                          username:
-                            description: The name that uniquely identifies this user
-                              among all active users.
-                            type: string
-                        type: object
-                    type: object
-                type: object
-              policy:
-                description: Specifies the name of the policy.
-                type: string
-              resource:
-                description: ResourceSpec is the information to identify the generate
-                  request.
-                properties:
-                  apiVersion:
-                    description: APIVersion specifies resource apiVersion.
-                    type: string
-                  kind:
-                    description: Kind specifies resource kind.
-                    type: string
-                  name:
-                    description: Name specifies the resource name.
-                    type: string
-                  namespace:
-                    description: Namespace specifies resource namespace.
-                    type: string
-                type: object
-            required:
-            - context
-            - policy
-            - resource
-            type: object
-          status:
-            description: Status contains statistics related to generate request.
-            properties:
-              generatedResources:
-                description: This will track the resources that are generated by the
-                  generate Policy. Will be used during clean up resources.
-                items:
-                  properties:
-                    apiVersion:
-                      description: APIVersion specifies resource apiVersion.
-                      type: string
-                    kind:
-                      description: Kind specifies resource kind.
-                      type: string
-                    name:
-                      description: Name specifies the resource name.
-                      type: string
-                    namespace:
-                      description: Namespace specifies resource namespace.
-                      type: string
-                  type: object
-                type: array
-              message:
-                description: Specifies request status message.
-                type: string
-              state:
-                description: State represents state of the generate request.
-                type: string
-            required:
-            - state
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: policies.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: Policy
-    listKind: PolicyList
-    plural: policies
-    shortNames:
-    - pol
-    singular: policy
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.background
-      name: Background
-      type: boolean
-    - jsonPath: .spec.validationFailureAction
-      name: Validate Action
-      type: string
-    - jsonPath: .spec.failurePolicy
-      name: Failure Policy
-      priority: 1
-      type: string
-    - jsonPath: .status.ready
-      name: Ready
-      type: boolean
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .status.rulecount.validate
-      name: Validate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.mutate
-      name: Mutate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.generate
-      name: Generate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.verifyimages
-      name: Verifyimages
-      priority: 1
-      type: integer
-    name: v1
-    schema:
-      openAPIV3Schema:
-        description: 'Policy declares validation, mutation, and generation behaviors
-          for matching resources. See: https://kyverno.io/docs/writing-policies/ for
-          more information.'
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec defines policy behaviors and contains one or more rules.
-            properties:
-              applyRules:
-                description: ApplyRules controls how rules in a policy are applied.
-                  Rule are processed in the order of declaration. When set to `One`
-                  processing stops after a rule has been applied i.e. the rule matches
-                  and results in a pass, fail, or error. When set to `All` all rules
-                  in the policy are processed. The default is `All`.
-                enum:
-                - All
-                - One
-                type: string
-              background:
-                default: true
-                description: Background controls if rules are applied to existing
-                  resources during a background scan. Optional. Default value is "true".
-                  The value must be set to "false" if the policy rule uses variables
-                  that are only available in the admission review request (e.g. user
-                  name).
-                type: boolean
-              failurePolicy:
-                description: FailurePolicy defines how unexpected policy errors and
-                  webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. This field should not be
-                  accessed directly, instead `GetFailurePolicy()` should be used.
-                  Allowed values are Ignore or Fail. Defaults to Fail.
-                enum:
-                - Ignore
-                - Fail
-                type: string
-              generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
-                type: boolean
-              mutateExistingOnPolicyUpdate:
-                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
-                  policy is applied on policy events. Default value is "false".
-                type: boolean
-              rules:
-                description: Rules is a list of Rule instances. A Policy contains
-                  multiple rules and each rule can validate, mutate, or generate resources.
-                items:
-                  description: Rule defines a validation, mutation, or generation
-                    control for matching resources. Each rules contains a match declaration
-                    to select resources, and an optional exclude declaration to specify
-                    which resources to exclude.
-                  properties:
-                    context:
-                      description: Context defines variables and data sources that
-                        can be used during rule execution.
-                      items:
-                        description: ContextEntry adds variables and data sources
-                          to a rule Context. Either a ConfigMap reference or a APILookup
-                          must be provided.
-                        properties:
-                          apiCall:
-                            description: APICall is an HTTP request to the Kubernetes
-                              API server, or other JSON web service. The data returned
-                              is stored in the context with the name for the context
-                              entry.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the JSON response
-                                  returned from the server. For example a JMESPath
-                                  of "items | length(@)" applied to the API server
-                                  response for the URLPath "/apis/apps/v1/deployments"
-                                  will return the total count of deployments across
-                                  all namespaces.
-                                type: string
-                              service:
-                                description: Service is an API call to a JSON web
-                                  service
-                                properties:
-                                  caBundle:
-                                    description: CABundle is a PEM encoded CA bundle
-                                      which will be used to validate the server certificate.
-                                    type: string
-                                  data:
-                                    description: Data specifies the POST data sent
-                                      to the server.
-                                    items:
-                                      description: RequestData contains the HTTP POST
-                                        data
-                                      properties:
-                                        key:
-                                          description: Key is a unique identifier
-                                            for the data value
-                                          type: string
-                                        value:
-                                          description: Value is the data value
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      required:
-                                      - key
-                                      - value
-                                      type: object
-                                    type: array
-                                  requestType:
-                                    default: GET
-                                    description: Method is the HTTP request type (GET
-                                      or POST).
-                                    enum:
-                                    - GET
-                                    - POST
-                                    type: string
-                                  urlPath:
-                                    description: URL is the JSON web service URL.
-                                      The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                    type: string
-                                required:
-                                - requestType
-                                - urlPath
-                                type: object
-                              urlPath:
-                                description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                  The format required is the same format used by the
-                                  `kubectl get --raw` command.
-                                type: string
-                            type: object
-                          configMap:
-                            description: ConfigMap is the ConfigMap reference.
-                            properties:
-                              name:
-                                description: Name is the ConfigMap name.
-                                type: string
-                              namespace:
-                                description: Namespace is the ConfigMap namespace.
-                                type: string
-                            required:
-                            - name
-                            type: object
-                          imageRegistry:
-                            description: ImageRegistry defines requests to an OCI/Docker
-                              V2 registry to fetch image details.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the ImageData struct
-                                  returned as a result of processing the image reference.
-                                type: string
-                              reference:
-                                description: 'Reference is image reference to a container
-                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
-                                type: string
-                            required:
-                            - reference
-                            type: object
-                          name:
-                            description: Name is the variable name.
-                            type: string
-                          variable:
-                            description: Variable defines an arbitrary JMESPath context
-                              variable that can be defined inline.
-                            properties:
-                              default:
-                                description: Default is an optional arbitrary JSON
-                                  object that the variable may take if the JMESPath
-                                  expression evaluates to nil
-                                x-kubernetes-preserve-unknown-fields: true
-                              jmesPath:
-                                description: JMESPath is an optional JMESPath Expression
-                                  that can be used to transform the variable.
-                                type: string
-                              value:
-                                description: Value is any arbitrary JSON object representable
-                                  in YAML or JSON form.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                        type: object
-                      type: array
-                    exclude:
-                      description: ExcludeResources defines when this policy rule
-                        should not be applied. The exclude criteria can include resource
-                        information (e.g. kind, name, namespace, labels) and admission
-                        review request information like the name or role.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified. Requires at least
-                            one tag to be specified when under MatchResources. Specifying
-                            ResourceDescription directly under match is being deprecated.
-                            Please specify under "any" or "all" instead.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    generate:
-                      description: Generation is used to create new resources.
-                      properties:
-                        apiVersion:
-                          description: APIVersion specifies resource apiVersion.
-                          type: string
-                        clone:
-                          description: Clone specifies the source resource used to
-                            populate each generated resource. At most one of Data
-                            or Clone can be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          properties:
-                            name:
-                              description: Name specifies name of the resource.
-                              type: string
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                          type: object
-                        cloneList:
-                          description: CloneList specifies the list of source resource
-                            used to populate each generated resource.
-                          properties:
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                            selector:
-                              description: Selector is a label selector. Label keys
-                                and values in `matchLabels`. wildcard characters are
-                                not supported.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        data:
-                          description: Data provides the resource declaration used
-                            to populate each generated resource. At most one of Data
-                            or Clone must be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          x-kubernetes-preserve-unknown-fields: true
-                        kind:
-                          description: Kind specifies resource kind.
-                          type: string
-                        name:
-                          description: Name specifies the resource name.
-                          type: string
-                        namespace:
-                          description: Namespace specifies resource namespace.
-                          type: string
-                        synchronize:
-                          description: Synchronize controls if generated resources
-                            should be kept in-sync with their source resource. If
-                            Synchronize is set to "true" changes to generated resources
-                            will be overwritten with resource data from Data or the
-                            resource specified in the Clone declaration. Optional.
-                            Defaults to "false" if not specified.
-                          type: boolean
-                      type: object
-                    imageExtractors:
-                      additionalProperties:
-                        items:
-                          properties:
-                            key:
-                              description: Key is an optional name of the field within
-                                'path' that will be used to uniquely identify an image.
-                                Note - this field MUST be unique.
-                              type: string
-                            name:
-                              description: Name is the entry the image will be available
-                                under 'images.' in the context. If this field
-                                is not defined, image entries will appear under 'images.custom'.
-                              type: string
-                            path:
-                              description: Path is the path to the object containing
-                                the image field in a custom resource. It should be
-                                slash-separated. Each slash-separated key must be
-                                a valid YAML key or a wildcard '*'. Wildcard keys
-                                are expanded in case of arrays or objects.
-                              type: string
-                            value:
-                              description: Value is an optional name of the field
-                                within 'path' that points to the image URI. This is
-                                useful when a custom 'key' is also defined.
-                              type: string
-                          required:
-                          - path
-                          type: object
-                        type: array
-                      description: ImageExtractors defines a mapping from kinds to
-                        ImageExtractorConfigs. This config is only valid for verifyImages
-                        rules.
-                      type: object
-                    match:
-                      description: MatchResources defines when this policy rule should
-                        be applied. The match criteria can include resource information
-                        (e.g. kind, name, namespace, labels) and admission review
-                        request information like the user name or role. At least one
-                        kind is required.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified. Requires at least
-                            one tag to be specified when under MatchResources. Specifying
-                            ResourceDescription directly under match is being deprecated.
-                            Please specify under "any" or "all" instead.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    mutate:
-                      description: Mutation is used to modify matching resources.
-                      properties:
-                        foreach:
-                          description: ForEach applies mutation rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              patchStrategicMerge:
-                                description: PatchStrategicMerge is a strategic merge
-                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                x-kubernetes-preserve-unknown-fields: true
-                              patchesJson6902:
-                                description: PatchesJSON6902 is a list of RFC 6902
-                                  JSON Patch declarations used to modify resources.
-                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                type: string
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        patchStrategicMerge:
-                          description: PatchStrategicMerge is a strategic merge patch
-                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                          x-kubernetes-preserve-unknown-fields: true
-                        patchesJson6902:
-                          description: PatchesJSON6902 is a list of RFC 6902 JSON
-                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                          type: string
-                        targets:
-                          description: Targets defines the target resources to be
-                            mutated.
-                          items:
-                            properties:
-                              apiVersion:
-                                description: APIVersion specifies resource apiVersion.
-                                type: string
-                              kind:
-                                description: Kind specifies resource kind.
-                                type: string
-                              name:
-                                description: Name specifies the resource name.
-                                type: string
-                              namespace:
-                                description: Namespace specifies resource namespace.
-                                type: string
-                            type: object
-                          type: array
-                      type: object
-                    name:
-                      description: Name is a label to identify the rule, It must be
-                        unique within the policy.
-                      maxLength: 63
-                      type: string
-                    preconditions:
-                      description: 'Preconditions are used to determine if a policy
-                        rule should be applied by evaluating a set of conditions.
-                        The declaration can contain nested `any` or `all` statements.
-                        A direct list of conditions (without `any` or `all` statements
-                        is supported for backwards compatibility but will be deprecated
-                        in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                      x-kubernetes-preserve-unknown-fields: true
-                    validate:
-                      description: Validation is used to validate matching resources.
-                      properties:
-                        anyPattern:
-                          description: AnyPattern specifies list of validation patterns.
-                            At least one of the patterns must be satisfied for the
-                            validation rule to succeed.
-                          x-kubernetes-preserve-unknown-fields: true
-                        deny:
-                          description: Deny defines conditions used to pass or fail
-                            a validation rule.
-                          properties:
-                            conditions:
-                              description: 'Multiple conditions can be declared under
-                                an `any` or `all` statement. A direct list of conditions
-                                (without `any` or `all` statements) is also supported
-                                for backwards compatibility but will be deprecated
-                                in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                              x-kubernetes-preserve-unknown-fields: true
-                          type: object
-                        foreach:
-                          description: ForEach applies validate rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              anyPattern:
-                                description: AnyPattern specifies list of validation
-                                  patterns. At least one of the patterns must be satisfied
-                                  for the validation rule to succeed.
-                                x-kubernetes-preserve-unknown-fields: true
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              deny:
-                                description: Deny defines conditions used to pass
-                                  or fail a validation rule.
-                                properties:
-                                  conditions:
-                                    description: 'Multiple conditions can be declared
-                                      under an `any` or `all` statement. A direct
-                                      list of conditions (without `any` or `all` statements)
-                                      is also supported for backwards compatibility
-                                      but will be deprecated in the next major release.
-                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              elementScope:
-                                description: ElementScope specifies whether to use
-                                  the current list element as the scope for validation.
-                                  Defaults to "true" if not specified. When set to
-                                  "false", "request.object" is used as the validation
-                                  scope within the foreach block to allow referencing
-                                  other elements in the subtree.
-                                type: boolean
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              pattern:
-                                description: Pattern specifies an overlay-style pattern
-                                  used to check resources.
-                                x-kubernetes-preserve-unknown-fields: true
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        manifests:
-                          description: Manifest specifies conditions for manifest
-                            verification
-                          properties:
-                            annotationDomain:
-                              description: AnnotationDomain is custom domain of annotation
-                                for message and signature. Default is "cosign.sigstore.dev".
-                              type: string
-                            attestors:
-                              description: Attestors specified the required attestors
-                                (i.e. authorities)
-                              items:
-                                properties:
-                                  count:
-                                    description: Count specifies the required number
-                                      of entries that must match. If the count is
-                                      null, all entries must match (a logical AND).
-                                      If the count is 1, at least one entry must match
-                                      (a logical OR). If the count contains a value
-                                      N, then N must be less than or equal to the
-                                      size of entries, and at least N entries must
-                                      match.
-                                    minimum: 1
-                                    type: integer
-                                  entries:
-                                    description: Entries contains the available attestors.
-                                      An attestor can be a static key, attributes
-                                      for keyless verification, or a nested attestor
-                                      declaration.
-                                    items:
-                                      properties:
-                                        annotations:
-                                          additionalProperties:
-                                            type: string
-                                          description: Annotations are used for image
-                                            verification. Every specified key-value
-                                            pair must exist and match in the verified
-                                            payload. The payload may contain other
-                                            key-value pairs.
-                                          type: object
-                                        attestor:
-                                          description: Attestor is a nested AttestorSet
-                                            used to specify a more complex set of
-                                            match authorities
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        certificates:
-                                          description: Certificates specifies one
-                                            or more certificates
-                                          properties:
-                                            cert:
-                                              description: Certificate is an optional
-                                                PEM encoded public certificate.
-                                              type: string
-                                            certChain:
-                                              description: CertificateChain is an
-                                                optional PEM encoded set of certificates
-                                                used to verify
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                          type: object
-                                        keyless:
-                                          description: Keyless is a set of attribute
-                                            used to verify a Sigstore keyless attestor.
-                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                          properties:
-                                            additionalExtensions:
-                                              additionalProperties:
-                                                type: string
-                                              description: AdditionalExtensions are
-                                                certificate-extensions used for keyless
-                                                signing.
-                                              type: object
-                                            issuer:
-                                              description: Issuer is the certificate
-                                                issuer used for keyless signing.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked and a root certificate chain
-                                                is expected instead. If an empty object
-                                                is provided the public instance of
-                                                Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            roots:
-                                              description: Roots is an optional set
-                                                of PEM encoded trusted root certificates.
-                                                If not provided, the system roots
-                                                are used.
-                                              type: string
-                                            subject:
-                                              description: Subject is the verified
-                                                identity used for keyless signing,
-                                                for example the email address
-                                              type: string
-                                          type: object
-                                        keys:
-                                          description: Keys specifies one or more
-                                            public keys
-                                          properties:
-                                            kms:
-                                              description: 'KMS provides the URI to
-                                                the public key stored in a Key Management
-                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                              type: string
-                                            publicKeys:
-                                              description: Keys is a set of X.509
-                                                public keys used to verify image signatures.
-                                                The keys can be directly specified
-                                                or can be a variable reference to
-                                                a key specified in a ConfigMap (see
-                                                https://kyverno.io/docs/writing-policies/variables/),
-                                                or reference a standard Kubernetes
-                                                Secret elsewhere in the cluster by
-                                                specifying it in the format "k8s:///".
-                                                The named Secret must specify a key
-                                                `cosign.pub` containing the public
-                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                When multiple keys are specified each
-                                                key is processed as a separate staticKey
-                                                entry (.attestors[*].entries.keys)
-                                                within the set of attestors and the
-                                                count is applied across the keys.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            secret:
-                                              description: Reference to a Secret resource
-                                                that contains a public key
-                                              properties:
-                                                name:
-                                                  description: Name of the secret.
-                                                    The provided secret must contain
-                                                    a key named cosign.pub.
-                                                  type: string
-                                                namespace:
-                                                  description: Namespace name where
-                                                    the Secret exists.
-                                                  type: string
-                                              required:
-                                              - name
-                                              - namespace
-                                              type: object
-                                            signatureAlgorithm:
-                                              default: sha256
-                                              description: Specify signature algorithm
-                                                for public keys. Supported values
-                                                are sha256 and sha512
-                                              type: string
-                                          type: object
-                                        repository:
-                                          description: Repository is an optional alternate
-                                            OCI repository to use for signatures and
-                                            attestations that match this rule. If
-                                            specified Repository will override other
-                                            OCI image repository locations for this
-                                            Attestor.
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            dryRun:
-                              description: DryRun configuration
-                              properties:
-                                enable:
-                                  type: boolean
-                                namespace:
-                                  type: string
-                              type: object
-                            ignoreFields:
-                              description: Fields which will be ignored while comparing
-                                manifests.
-                              items:
-                                properties:
-                                  fields:
-                                    items:
-                                      type: string
-                                    type: array
-                                  objects:
-                                    items:
-                                      properties:
-                                        group:
-                                          type: string
-                                        kind:
-                                          type: string
-                                        name:
-                                          type: string
-                                        namespace:
-                                          type: string
-                                        version:
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            repository:
-                              description: Repository is an optional alternate OCI
-                                repository to use for resource bundle reference. The
-                                repository can be overridden per Attestor or Attestation.
-                              type: string
-                          type: object
-                        message:
-                          description: Message specifies a custom message to be displayed
-                            on failure.
-                          type: string
-                        pattern:
-                          description: Pattern specifies an overlay-style pattern
-                            used to check resources.
-                          x-kubernetes-preserve-unknown-fields: true
-                        podSecurity:
-                          description: PodSecurity applies exemptions for Kubernetes
-                            Pod Security admission by specifying exclusions for Pod
-                            Security Standards controls.
-                          properties:
-                            exclude:
-                              description: Exclude specifies the Pod Security Standard
-                                controls to be excluded.
-                              items:
-                                description: PodSecurityStandard specifies the Pod
-                                  Security Standard controls to be excluded.
-                                properties:
-                                  controlName:
-                                    description: 'ControlName specifies the name of
-                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                    enum:
-                                    - HostProcess
-                                    - Host Namespaces
-                                    - Privileged Containers
-                                    - Capabilities
-                                    - HostPath Volumes
-                                    - Host Ports
-                                    - AppArmor
-                                    - SELinux
-                                    - /proc Mount Type
-                                    - Seccomp
-                                    - Sysctls
-                                    - Volume Types
-                                    - Privilege Escalation
-                                    - Running as Non-root
-                                    - Running as Non-root user
-                                    type: string
-                                  images:
-                                    description: 'Images selects matching containers
-                                      and applies the container level PSS. Each image
-                                      is the image name consisting of the registry
-                                      address, repository, image, and tag. Empty list
-                                      matches no containers, PSS checks are applied
-                                      at the pod level only. Wildcards (''*'' and
-                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - controlName
-                                type: object
-                              type: array
-                            level:
-                              description: Level defines the Pod Security Standard
-                                level to be applied to workloads. Allowed values are
-                                privileged, baseline, and restricted.
-                              enum:
-                              - privileged
-                              - baseline
-                              - restricted
-                              type: string
-                            version:
-                              description: Version defines the Pod Security Standard
-                                versions that Kubernetes supports. Allowed values
-                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
-                              enum:
-                              - v1.19
-                              - v1.20
-                              - v1.21
-                              - v1.22
-                              - v1.23
-                              - v1.24
-                              - v1.25
-                              - latest
-                              type: string
-                          type: object
-                      type: object
-                    verifyImages:
-                      description: VerifyImages is used to verify image signatures
-                        and mutate them to add a digest
-                      items:
-                        description: ImageVerification validates that images that
-                          match the specified pattern are signed with the supplied
-                          public key. Once the image is verified it is mutated to
-                          include the SHA digest retrieved during the registration.
-                        properties:
-                          additionalExtensions:
-                            additionalProperties:
-                              type: string
-                            description: AdditionalExtensions are certificate-extensions
-                              used for keyless signing. Deprecated.
-                            type: object
-                          annotations:
-                            additionalProperties:
-                              type: string
-                            description: Annotations are used for image verification.
-                              Every specified key-value pair must exist and match
-                              in the verified payload. The payload may contain other
-                              key-value pairs. Deprecated. Use annotations per Attestor
-                              instead.
-                            type: object
-                          attestations:
-                            description: Attestations are optional checks for signed
-                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
-                              Kyverno fetches signed attestations from the OCI registry
-                              and decodes them into a list of Statement declarations.
-                            items:
-                              description: Attestation are checks for signed in-toto
-                                Statements that are used to verify the image. See
-                                https://github.com/in-toto/attestation. Kyverno fetches
-                                signed attestations from the OCI registry and decodes
-                                them into a list of Statements.
-                              properties:
-                                attestors:
-                                  description: Attestors specify the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                conditions:
-                                  description: Conditions are used to verify attributes
-                                    within a Predicate. If no Conditions are specified
-                                    the attestation check is satisfied as long there
-                                    are predicates that match the predicate type.
-                                  items:
-                                    description: AnyAllConditions consists of conditions
-                                      wrapped denoting a logical criteria to be fulfilled.
-                                      AnyConditions get fulfilled when at least one
-                                      of its sub-conditions passes. AllConditions
-                                      get fulfilled only when all of its sub-conditions
-                                      pass.
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                predicateType:
-                                  description: PredicateType defines the type of Predicate
-                                    contained within the Statement.
-                                  type: string
-                              required:
-                              - predicateType
-                              type: object
-                            type: array
-                          attestors:
-                            description: Attestors specified the required attestors
-                              (i.e. authorities)
-                            items:
-                              properties:
-                                count:
-                                  description: Count specifies the required number
-                                    of entries that must match. If the count is null,
-                                    all entries must match (a logical AND). If the
-                                    count is 1, at least one entry must match (a logical
-                                    OR). If the count contains a value N, then N must
-                                    be less than or equal to the size of entries,
-                                    and at least N entries must match.
-                                  minimum: 1
-                                  type: integer
-                                entries:
-                                  description: Entries contains the available attestors.
-                                    An attestor can be a static key, attributes for
-                                    keyless verification, or a nested attestor declaration.
-                                  items:
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations are used for image
-                                          verification. Every specified key-value
-                                          pair must exist and match in the verified
-                                          payload. The payload may contain other key-value
-                                          pairs.
-                                        type: object
-                                      attestor:
-                                        description: Attestor is a nested AttestorSet
-                                          used to specify a more complex set of match
-                                          authorities
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      certificates:
-                                        description: Certificates specifies one or
-                                          more certificates
-                                        properties:
-                                          cert:
-                                            description: Certificate is an optional
-                                              PEM encoded public certificate.
-                                            type: string
-                                          certChain:
-                                            description: CertificateChain is an optional
-                                              PEM encoded set of certificates used
-                                              to verify
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                        type: object
-                                      keyless:
-                                        description: Keyless is a set of attribute
-                                          used to verify a Sigstore keyless attestor.
-                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                        properties:
-                                          additionalExtensions:
-                                            additionalProperties:
-                                              type: string
-                                            description: AdditionalExtensions are
-                                              certificate-extensions used for keyless
-                                              signing.
-                                            type: object
-                                          issuer:
-                                            description: Issuer is the certificate
-                                              issuer used for keyless signing.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked
-                                              and a root certificate chain is expected
-                                              instead. If an empty object is provided
-                                              the public instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          roots:
-                                            description: Roots is an optional set
-                                              of PEM encoded trusted root certificates.
-                                              If not provided, the system roots are
-                                              used.
-                                            type: string
-                                          subject:
-                                            description: Subject is the verified identity
-                                              used for keyless signing, for example
-                                              the email address
-                                            type: string
-                                        type: object
-                                      keys:
-                                        description: Keys specifies one or more public
-                                          keys
-                                        properties:
-                                          kms:
-                                            description: 'KMS provides the URI to
-                                              the public key stored in a Key Management
-                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                            type: string
-                                          publicKeys:
-                                            description: Keys is a set of X.509 public
-                                              keys used to verify image signatures.
-                                              The keys can be directly specified or
-                                              can be a variable reference to a key
-                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                              or reference a standard Kubernetes Secret
-                                              elsewhere in the cluster by specifying
-                                              it in the format "k8s:///".
-                                              The named Secret must specify a key
-                                              `cosign.pub` containing the public key
-                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                              When multiple keys are specified each
-                                              key is processed as a separate staticKey
-                                              entry (.attestors[*].entries.keys) within
-                                              the set of attestors and the count is
-                                              applied across the keys.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          secret:
-                                            description: Reference to a Secret resource
-                                              that contains a public key
-                                            properties:
-                                              name:
-                                                description: Name of the secret. The
-                                                  provided secret must contain a key
-                                                  named cosign.pub.
-                                                type: string
-                                              namespace:
-                                                description: Namespace name where
-                                                  the Secret exists.
-                                                type: string
-                                            required:
-                                            - name
-                                            - namespace
-                                            type: object
-                                          signatureAlgorithm:
-                                            default: sha256
-                                            description: Specify signature algorithm
-                                              for public keys. Supported values are
-                                              sha256 and sha512
-                                            type: string
-                                        type: object
-                                      repository:
-                                        description: Repository is an optional alternate
-                                          OCI repository to use for signatures and
-                                          attestations that match this rule. If specified
-                                          Repository will override other OCI image
-                                          repository locations for this Attestor.
-                                        type: string
-                                    type: object
-                                  type: array
-                              type: object
-                            type: array
-                          image:
-                            description: 'Image is the image name consisting of the
-                              registry address, repository, image, and tag. Wildcards
-                              (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-                              Deprecated. Use ImageReferences instead.'
-                            type: string
-                          imageReferences:
-                            description: 'ImageReferences is a list of matching image
-                              reference patterns. At least one pattern in the list
-                              must match the image for the rule to apply. Each image
-                              reference consists of a registry address (defaults to
-                              docker.io), repository, image, and tag (defaults to
-                              latest). Wildcards (''*'' and ''?'') are allowed. See:
-                              https://kubernetes.io/docs/concepts/containers/images.'
-                            items:
-                              type: string
-                            type: array
-                          issuer:
-                            description: Issuer is the certificate issuer used for
-                              keyless signing. Deprecated. Use KeylessAttestor instead.
-                            type: string
-                          key:
-                            description: Key is the PEM encoded public key that the
-                              image or attestation is signed with. Deprecated. Use
-                              StaticKeyAttestor instead.
-                            type: string
-                          mutateDigest:
-                            default: true
-                            description: MutateDigest enables replacement of image
-                              tags with digests. Defaults to true.
-                            type: boolean
-                          repository:
-                            description: Repository is an optional alternate OCI repository
-                              to use for image signatures and attestations that match
-                              this rule. If specified Repository will override the
-                              default OCI image repository configured for the installation.
-                              The repository can also be overridden per Attestor or
-                              Attestation.
-                            type: string
-                          required:
-                            default: true
-                            description: Required validates that images are verified
-                              i.e. have matched passed a signature or attestation
-                              check.
-                            type: boolean
-                          roots:
-                            description: Roots is the PEM encoded Root certificate
-                              chain used for keyless signing Deprecated. Use KeylessAttestor
-                              instead.
-                            type: string
-                          subject:
-                            description: Subject is the identity used for keyless
-                              signing, for example an email address Deprecated. Use
-                              KeylessAttestor instead.
-                            type: string
-                          verifyDigest:
-                            default: true
-                            description: VerifyDigest validates that images have a
-                              digest.
-                            type: boolean
-                        type: object
-                      type: array
-                  type: object
-                type: array
-              schemaValidation:
-                description: SchemaValidation skips validation checks for policies
-                  as well as patched resources. Optional. The default value is set
-                  to "true", it must be set to "false" to disable the validation checks.
-                type: boolean
-              validationFailureAction:
-                default: Audit
-                description: ValidationFailureAction defines if a validation policy
-                  rule violation should block the admission review request (enforce),
-                  or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. Allowed values are audit or enforce.
-                  The default value is "Audit".
-                enum:
-                - audit
-                - enforce
-                - Audit
-                - Enforce
-                type: string
-              validationFailureActionOverrides:
-                description: ValidationFailureActionOverrides is a Cluster Policy
-                  attribute that specifies ValidationFailureAction namespace-wise.
-                  It overrides ValidationFailureAction for the specified namespaces.
-                items:
-                  properties:
-                    action:
-                      description: ValidationFailureAction defines the policy validation
-                        failure action
-                      enum:
-                      - audit
-                      - enforce
-                      - Audit
-                      - Enforce
-                      type: string
-                    namespaceSelector:
-                      description: A label selector is a label query over a set of
-                        resources. The result of matchLabels and matchExpressions
-                        are ANDed. An empty label selector matches all objects. A
-                        null label selector matches no objects.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    namespaces:
-                      items:
-                        type: string
-                      type: array
-                  type: object
-                type: array
-              webhookTimeoutSeconds:
-                description: WebhookTimeoutSeconds specifies the maximum time in seconds
-                  allowed to apply this policy. After the configured time expires,
-                  the admission request may fail, or may simply ignore the policy
-                  results, based on the failure policy. The default timeout is 10s,
-                  the value must be between 1 and 30 seconds.
-                format: int32
-                type: integer
-            type: object
-          status:
-            description: Status contains policy runtime information. Deprecated. Policy
-              metrics are available via the metrics endpoint
-            properties:
-              autogen:
-                description: Autogen contains autogen status information
-                properties:
-                  rules:
-                    description: Rules is a list of Rule instances. It contains auto
-                      generated rules added for pod controllers
-                    items:
-                      description: Rule defines a validation, mutation, or generation
-                        control for matching resources. Each rules contains a match
-                        declaration to select resources, and an optional exclude declaration
-                        to specify which resources to exclude.
-                      properties:
-                        context:
-                          description: Context defines variables and data sources
-                            that can be used during rule execution.
-                          items:
-                            description: ContextEntry adds variables and data sources
-                              to a rule Context. Either a ConfigMap reference or a
-                              APILookup must be provided.
-                            properties:
-                              apiCall:
-                                description: APICall is an HTTP request to the Kubernetes
-                                  API server, or other JSON web service. The data
-                                  returned is stored in the context with the name
-                                  for the context entry.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      JSON response returned from the server. For
-                                      example a JMESPath of "items | length(@)" applied
-                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
-                                      will return the total count of deployments across
-                                      all namespaces.
-                                    type: string
-                                  service:
-                                    description: Service is an API call to a JSON
-                                      web service
-                                    properties:
-                                      caBundle:
-                                        description: CABundle is a PEM encoded CA
-                                          bundle which will be used to validate the
-                                          server certificate.
-                                        type: string
-                                      data:
-                                        description: Data specifies the POST data
-                                          sent to the server.
-                                        items:
-                                          description: RequestData contains the HTTP
-                                            POST data
-                                          properties:
-                                            key:
-                                              description: Key is a unique identifier
-                                                for the data value
-                                              type: string
-                                            value:
-                                              description: Value is the data value
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          required:
-                                          - key
-                                          - value
-                                          type: object
-                                        type: array
-                                      requestType:
-                                        default: GET
-                                        description: Method is the HTTP request type
-                                          (GET or POST).
-                                        enum:
-                                        - GET
-                                        - POST
-                                        type: string
-                                      urlPath:
-                                        description: URL is the JSON web service URL.
-                                          The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                        type: string
-                                    required:
-                                    - requestType
-                                    - urlPath
-                                    type: object
-                                  urlPath:
-                                    description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                      The format required is the same format used
-                                      by the `kubectl get --raw` command.
-                                    type: string
-                                type: object
-                              configMap:
-                                description: ConfigMap is the ConfigMap reference.
-                                properties:
-                                  name:
-                                    description: Name is the ConfigMap name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace is the ConfigMap namespace.
-                                    type: string
-                                required:
-                                - name
-                                type: object
-                              imageRegistry:
-                                description: ImageRegistry defines requests to an
-                                  OCI/Docker V2 registry to fetch image details.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      ImageData struct returned as a result of processing
-                                      the image reference.
-                                    type: string
-                                  reference:
-                                    description: 'Reference is image reference to
-                                      a container image in the registry. Example:
-                                      ghcr.io/kyverno/kyverno:latest'
-                                    type: string
-                                required:
-                                - reference
-                                type: object
-                              name:
-                                description: Name is the variable name.
-                                type: string
-                              variable:
-                                description: Variable defines an arbitrary JMESPath
-                                  context variable that can be defined inline.
-                                properties:
-                                  default:
-                                    description: Default is an optional arbitrary
-                                      JSON object that the variable may take if the
-                                      JMESPath expression evaluates to nil
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  jmesPath:
-                                    description: JMESPath is an optional JMESPath
-                                      Expression that can be used to transform the
-                                      variable.
-                                    type: string
-                                  value:
-                                    description: Value is any arbitrary JSON object
-                                      representable in YAML or JSON form.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                            type: object
-                          type: array
-                        exclude:
-                          description: ExcludeResources defines when this policy rule
-                            should not be applied. The exclude criteria can include
-                            resource information (e.g. kind, name, namespace, labels)
-                            and admission review request information like the name
-                            or role.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        generate:
-                          description: Generation is used to create new resources.
-                          properties:
-                            apiVersion:
-                              description: APIVersion specifies resource apiVersion.
-                              type: string
-                            clone:
-                              description: Clone specifies the source resource used
-                                to populate each generated resource. At most one of
-                                Data or Clone can be specified. If neither are provided,
-                                the generated resource will be created with default
-                                data only.
-                              properties:
-                                name:
-                                  description: Name specifies name of the resource.
-                                  type: string
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                              type: object
-                            cloneList:
-                              description: CloneList specifies the list of source
-                                resource used to populate each generated resource.
-                              properties:
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                                selector:
-                                  description: Selector is a label selector. Label
-                                    keys and values in `matchLabels`. wildcard characters
-                                    are not supported.
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            data:
-                              description: Data provides the resource declaration
-                                used to populate each generated resource. At most
-                                one of Data or Clone must be specified. If neither
-                                are provided, the generated resource will be created
-                                with default data only.
-                              x-kubernetes-preserve-unknown-fields: true
-                            kind:
-                              description: Kind specifies resource kind.
-                              type: string
-                            name:
-                              description: Name specifies the resource name.
-                              type: string
-                            namespace:
-                              description: Namespace specifies resource namespace.
-                              type: string
-                            synchronize:
-                              description: Synchronize controls if generated resources
-                                should be kept in-sync with their source resource.
-                                If Synchronize is set to "true" changes to generated
-                                resources will be overwritten with resource data from
-                                Data or the resource specified in the Clone declaration.
-                                Optional. Defaults to "false" if not specified.
-                              type: boolean
-                          type: object
-                        imageExtractors:
-                          additionalProperties:
-                            items:
-                              properties:
-                                key:
-                                  description: Key is an optional name of the field
-                                    within 'path' that will be used to uniquely identify
-                                    an image. Note - this field MUST be unique.
-                                  type: string
-                                name:
-                                  description: Name is the entry the image will be
-                                    available under 'images.' in the context.
-                                    If this field is not defined, image entries will
-                                    appear under 'images.custom'.
-                                  type: string
-                                path:
-                                  description: Path is the path to the object containing
-                                    the image field in a custom resource. It should
-                                    be slash-separated. Each slash-separated key must
-                                    be a valid YAML key or a wildcard '*'. Wildcard
-                                    keys are expanded in case of arrays or objects.
-                                  type: string
-                                value:
-                                  description: Value is an optional name of the field
-                                    within 'path' that points to the image URI. This
-                                    is useful when a custom 'key' is also defined.
-                                  type: string
-                              required:
-                              - path
-                              type: object
-                            type: array
-                          description: ImageExtractors defines a mapping from kinds
-                            to ImageExtractorConfigs. This config is only valid for
-                            verifyImages rules.
-                          type: object
-                        match:
-                          description: MatchResources defines when this policy rule
-                            should be applied. The match criteria can include resource
-                            information (e.g. kind, name, namespace, labels) and admission
-                            review request information like the user name or role.
-                            At least one kind is required.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        mutate:
-                          description: Mutation is used to modify matching resources.
-                          properties:
-                            foreach:
-                              description: ForEach applies mutation rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  patchStrategicMerge:
-                                    description: PatchStrategicMerge is a strategic
-                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  patchesJson6902:
-                                    description: PatchesJSON6902 is a list of RFC
-                                      6902 JSON Patch declarations used to modify
-                                      resources. See https://tools.ietf.org/html/rfc6902
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                    type: string
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            patchStrategicMerge:
-                              description: PatchStrategicMerge is a strategic merge
-                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                              x-kubernetes-preserve-unknown-fields: true
-                            patchesJson6902:
-                              description: PatchesJSON6902 is a list of RFC 6902 JSON
-                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                              type: string
-                            targets:
-                              description: Targets defines the target resources to
-                                be mutated.
-                              items:
-                                properties:
-                                  apiVersion:
-                                    description: APIVersion specifies resource apiVersion.
-                                    type: string
-                                  kind:
-                                    description: Kind specifies resource kind.
-                                    type: string
-                                  name:
-                                    description: Name specifies the resource name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace specifies resource namespace.
-                                    type: string
-                                type: object
-                              type: array
-                          type: object
-                        name:
-                          description: Name is a label to identify the rule, It must
-                            be unique within the policy.
-                          maxLength: 63
-                          type: string
-                        preconditions:
-                          description: 'Preconditions are used to determine if a policy
-                            rule should be applied by evaluating a set of conditions.
-                            The declaration can contain nested `any` or `all` statements.
-                            A direct list of conditions (without `any` or `all` statements
-                            is supported for backwards compatibility but will be deprecated
-                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                          x-kubernetes-preserve-unknown-fields: true
-                        validate:
-                          description: Validation is used to validate matching resources.
-                          properties:
-                            anyPattern:
-                              description: AnyPattern specifies list of validation
-                                patterns. At least one of the patterns must be satisfied
-                                for the validation rule to succeed.
-                              x-kubernetes-preserve-unknown-fields: true
-                            deny:
-                              description: Deny defines conditions used to pass or
-                                fail a validation rule.
-                              properties:
-                                conditions:
-                                  description: 'Multiple conditions can be declared
-                                    under an `any` or `all` statement. A direct list
-                                    of conditions (without `any` or `all` statements)
-                                    is also supported for backwards compatibility
-                                    but will be deprecated in the next major release.
-                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                  x-kubernetes-preserve-unknown-fields: true
-                              type: object
-                            foreach:
-                              description: ForEach applies validate rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  anyPattern:
-                                    description: AnyPattern specifies list of validation
-                                      patterns. At least one of the patterns must
-                                      be satisfied for the validation rule to succeed.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  deny:
-                                    description: Deny defines conditions used to pass
-                                      or fail a validation rule.
-                                    properties:
-                                      conditions:
-                                        description: 'Multiple conditions can be declared
-                                          under an `any` or `all` statement. A direct
-                                          list of conditions (without `any` or `all`
-                                          statements) is also supported for backwards
-                                          compatibility but will be deprecated in
-                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  elementScope:
-                                    description: ElementScope specifies whether to
-                                      use the current list element as the scope for
-                                      validation. Defaults to "true" if not specified.
-                                      When set to "false", "request.object" is used
-                                      as the validation scope within the foreach block
-                                      to allow referencing other elements in the subtree.
-                                    type: boolean
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  pattern:
-                                    description: Pattern specifies an overlay-style
-                                      pattern used to check resources.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            manifests:
-                              description: Manifest specifies conditions for manifest
-                                verification
-                              properties:
-                                annotationDomain:
-                                  description: AnnotationDomain is custom domain of
-                                    annotation for message and signature. Default
-                                    is "cosign.sigstore.dev".
-                                  type: string
-                                attestors:
-                                  description: Attestors specified the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                dryRun:
-                                  description: DryRun configuration
-                                  properties:
-                                    enable:
-                                      type: boolean
-                                    namespace:
-                                      type: string
-                                  type: object
-                                ignoreFields:
-                                  description: Fields which will be ignored while
-                                    comparing manifests.
-                                  items:
-                                    properties:
-                                      fields:
-                                        items:
-                                          type: string
-                                        type: array
-                                      objects:
-                                        items:
-                                          properties:
-                                            group:
-                                              type: string
-                                            kind:
-                                              type: string
-                                            name:
-                                              type: string
-                                            namespace:
-                                              type: string
-                                            version:
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                repository:
-                                  description: Repository is an optional alternate
-                                    OCI repository to use for resource bundle reference.
-                                    The repository can be overridden per Attestor
-                                    or Attestation.
-                                  type: string
-                              type: object
-                            message:
-                              description: Message specifies a custom message to be
-                                displayed on failure.
-                              type: string
-                            pattern:
-                              description: Pattern specifies an overlay-style pattern
-                                used to check resources.
-                              x-kubernetes-preserve-unknown-fields: true
-                            podSecurity:
-                              description: PodSecurity applies exemptions for Kubernetes
-                                Pod Security admission by specifying exclusions for
-                                Pod Security Standards controls.
-                              properties:
-                                exclude:
-                                  description: Exclude specifies the Pod Security
-                                    Standard controls to be excluded.
-                                  items:
-                                    description: PodSecurityStandard specifies the
-                                      Pod Security Standard controls to be excluded.
-                                    properties:
-                                      controlName:
-                                        description: 'ControlName specifies the name
-                                          of the Pod Security Standard control. See:
-                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                        enum:
-                                        - HostProcess
-                                        - Host Namespaces
-                                        - Privileged Containers
-                                        - Capabilities
-                                        - HostPath Volumes
-                                        - Host Ports
-                                        - AppArmor
-                                        - SELinux
-                                        - /proc Mount Type
-                                        - Seccomp
-                                        - Sysctls
-                                        - Volume Types
-                                        - Privilege Escalation
-                                        - Running as Non-root
-                                        - Running as Non-root user
-                                        type: string
-                                      images:
-                                        description: 'Images selects matching containers
-                                          and applies the container level PSS. Each
-                                          image is the image name consisting of the
-                                          registry address, repository, image, and
-                                          tag. Empty list matches no containers, PSS
-                                          checks are applied at the pod level only.
-                                          Wildcards (''*'' and ''?'') are allowed.
-                                          See: https://kubernetes.io/docs/concepts/containers/images.'
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - controlName
-                                    type: object
-                                  type: array
-                                level:
-                                  description: Level defines the Pod Security Standard
-                                    level to be applied to workloads. Allowed values
-                                    are privileged, baseline, and restricted.
-                                  enum:
-                                  - privileged
-                                  - baseline
-                                  - restricted
-                                  type: string
-                                version:
-                                  description: Version defines the Pod Security Standard
-                                    versions that Kubernetes supports. Allowed values
-                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
-                                  enum:
-                                  - v1.19
-                                  - v1.20
-                                  - v1.21
-                                  - v1.22
-                                  - v1.23
-                                  - v1.24
-                                  - v1.25
-                                  - latest
-                                  type: string
-                              type: object
-                          type: object
-                        verifyImages:
-                          description: VerifyImages is used to verify image signatures
-                            and mutate them to add a digest
-                          items:
-                            description: ImageVerification validates that images that
-                              match the specified pattern are signed with the supplied
-                              public key. Once the image is verified it is mutated
-                              to include the SHA digest retrieved during the registration.
-                            properties:
-                              additionalExtensions:
-                                additionalProperties:
-                                  type: string
-                                description: AdditionalExtensions are certificate-extensions
-                                  used for keyless signing. Deprecated.
-                                type: object
-                              annotations:
-                                additionalProperties:
-                                  type: string
-                                description: Annotations are used for image verification.
-                                  Every specified key-value pair must exist and match
-                                  in the verified payload. The payload may contain
-                                  other key-value pairs. Deprecated. Use annotations
-                                  per Attestor instead.
-                                type: object
-                              attestations:
-                                description: Attestations are optional checks for
-                                  signed in-toto Statements used to verify the image.
-                                  See https://github.com/in-toto/attestation. Kyverno
-                                  fetches signed attestations from the OCI registry
-                                  and decodes them into a list of Statement declarations.
-                                items:
-                                  description: Attestation are checks for signed in-toto
-                                    Statements that are used to verify the image.
-                                    See https://github.com/in-toto/attestation. Kyverno
-                                    fetches signed attestations from the OCI registry
-                                    and decodes them into a list of Statements.
-                                  properties:
-                                    attestors:
-                                      description: Attestors specify the required
-                                        attestors (i.e. authorities)
-                                      items:
-                                        properties:
-                                          count:
-                                            description: Count specifies the required
-                                              number of entries that must match. If
-                                              the count is null, all entries must
-                                              match (a logical AND). If the count
-                                              is 1, at least one entry must match
-                                              (a logical OR). If the count contains
-                                              a value N, then N must be less than
-                                              or equal to the size of entries, and
-                                              at least N entries must match.
-                                            minimum: 1
-                                            type: integer
-                                          entries:
-                                            description: Entries contains the available
-                                              attestors. An attestor can be a static
-                                              key, attributes for keyless verification,
-                                              or a nested attestor declaration.
-                                            items:
-                                              properties:
-                                                annotations:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: Annotations are used
-                                                    for image verification. Every
-                                                    specified key-value pair must
-                                                    exist and match in the verified
-                                                    payload. The payload may contain
-                                                    other key-value pairs.
-                                                  type: object
-                                                attestor:
-                                                  description: Attestor is a nested
-                                                    AttestorSet used to specify a
-                                                    more complex set of match authorities
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                certificates:
-                                                  description: Certificates specifies
-                                                    one or more certificates
-                                                  properties:
-                                                    cert:
-                                                      description: Certificate is
-                                                        an optional PEM encoded public
-                                                        certificate.
-                                                      type: string
-                                                    certChain:
-                                                      description: CertificateChain
-                                                        is an optional PEM encoded
-                                                        set of certificates used to
-                                                        verify
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                  type: object
-                                                keyless:
-                                                  description: Keyless is a set of
-                                                    attribute used to verify a Sigstore
-                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                                  properties:
-                                                    additionalExtensions:
-                                                      additionalProperties:
-                                                        type: string
-                                                      description: AdditionalExtensions
-                                                        are certificate-extensions
-                                                        used for keyless signing.
-                                                      type: object
-                                                    issuer:
-                                                      description: Issuer is the certificate
-                                                        issuer used for keyless signing.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked and a root
-                                                        certificate chain is expected
-                                                        instead. If an empty object
-                                                        is provided the public instance
-                                                        of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    roots:
-                                                      description: Roots is an optional
-                                                        set of PEM encoded trusted
-                                                        root certificates. If not
-                                                        provided, the system roots
-                                                        are used.
-                                                      type: string
-                                                    subject:
-                                                      description: Subject is the
-                                                        verified identity used for
-                                                        keyless signing, for example
-                                                        the email address
-                                                      type: string
-                                                  type: object
-                                                keys:
-                                                  description: Keys specifies one
-                                                    or more public keys
-                                                  properties:
-                                                    kms:
-                                                      description: 'KMS provides the
-                                                        URI to the public key stored
-                                                        in a Key Management System.
-                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                      type: string
-                                                    publicKeys:
-                                                      description: Keys is a set of
-                                                        X.509 public keys used to
-                                                        verify image signatures. The
-                                                        keys can be directly specified
-                                                        or can be a variable reference
-                                                        to a key specified in a ConfigMap
-                                                        (see https://kyverno.io/docs/writing-policies/variables/),
-                                                        or reference a standard Kubernetes
-                                                        Secret elsewhere in the cluster
-                                                        by specifying it in the format
-                                                        "k8s:///".
-                                                        The named Secret must specify
-                                                        a key `cosign.pub` containing
-                                                        the public key used for verification,
-                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                        When multiple keys are specified
-                                                        each key is processed as a
-                                                        separate staticKey entry (.attestors[*].entries.keys)
-                                                        within the set of attestors
-                                                        and the count is applied across
-                                                        the keys.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    secret:
-                                                      description: Reference to a
-                                                        Secret resource that contains
-                                                        a public key
-                                                      properties:
-                                                        name:
-                                                          description: Name of the
-                                                            secret. The provided secret
-                                                            must contain a key named
-                                                            cosign.pub.
-                                                          type: string
-                                                        namespace:
-                                                          description: Namespace name
-                                                            where the Secret exists.
-                                                          type: string
-                                                      required:
-                                                      - name
-                                                      - namespace
-                                                      type: object
-                                                    signatureAlgorithm:
-                                                      default: sha256
-                                                      description: Specify signature
-                                                        algorithm for public keys.
-                                                        Supported values are sha256
-                                                        and sha512
-                                                      type: string
-                                                  type: object
-                                                repository:
-                                                  description: Repository is an optional
-                                                    alternate OCI repository to use
-                                                    for signatures and attestations
-                                                    that match this rule. If specified
-                                                    Repository will override other
-                                                    OCI image repository locations
-                                                    for this Attestor.
-                                                  type: string
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    conditions:
-                                      description: Conditions are used to verify attributes
-                                        within a Predicate. If no Conditions are specified
-                                        the attestation check is satisfied as long
-                                        there are predicates that match the predicate
-                                        type.
-                                      items:
-                                        description: AnyAllConditions consists of
-                                          conditions wrapped denoting a logical criteria
-                                          to be fulfilled. AnyConditions get fulfilled
-                                          when at least one of its sub-conditions
-                                          passes. AllConditions get fulfilled only
-                                          when all of its sub-conditions pass.
-                                        properties:
-                                          all:
-                                            description: AllConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, all of the conditions need to
-                                              pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                          any:
-                                            description: AnyConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, at least one of the conditions
-                                              need to pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    predicateType:
-                                      description: PredicateType defines the type
-                                        of Predicate contained within the Statement.
-                                      type: string
-                                  required:
-                                  - predicateType
-                                  type: object
-                                type: array
-                              attestors:
-                                description: Attestors specified the required attestors
-                                  (i.e. authorities)
-                                items:
-                                  properties:
-                                    count:
-                                      description: Count specifies the required number
-                                        of entries that must match. If the count is
-                                        null, all entries must match (a logical AND).
-                                        If the count is 1, at least one entry must
-                                        match (a logical OR). If the count contains
-                                        a value N, then N must be less than or equal
-                                        to the size of entries, and at least N entries
-                                        must match.
-                                      minimum: 1
-                                      type: integer
-                                    entries:
-                                      description: Entries contains the available
-                                        attestors. An attestor can be a static key,
-                                        attributes for keyless verification, or a
-                                        nested attestor declaration.
-                                      items:
-                                        properties:
-                                          annotations:
-                                            additionalProperties:
-                                              type: string
-                                            description: Annotations are used for
-                                              image verification. Every specified
-                                              key-value pair must exist and match
-                                              in the verified payload. The payload
-                                              may contain other key-value pairs.
-                                            type: object
-                                          attestor:
-                                            description: Attestor is a nested AttestorSet
-                                              used to specify a more complex set of
-                                              match authorities
-                                            x-kubernetes-preserve-unknown-fields: true
-                                          certificates:
-                                            description: Certificates specifies one
-                                              or more certificates
-                                            properties:
-                                              cert:
-                                                description: Certificate is an optional
-                                                  PEM encoded public certificate.
-                                                type: string
-                                              certChain:
-                                                description: CertificateChain is an
-                                                  optional PEM encoded set of certificates
-                                                  used to verify
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                            type: object
-                                          keyless:
-                                            description: Keyless is a set of attribute
-                                              used to verify a Sigstore keyless attestor.
-                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                            properties:
-                                              additionalExtensions:
-                                                additionalProperties:
-                                                  type: string
-                                                description: AdditionalExtensions
-                                                  are certificate-extensions used
-                                                  for keyless signing.
-                                                type: object
-                                              issuer:
-                                                description: Issuer is the certificate
-                                                  issuer used for keyless signing.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked and a root certificate chain
-                                                  is expected instead. If an empty
-                                                  object is provided the public instance
-                                                  of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              roots:
-                                                description: Roots is an optional
-                                                  set of PEM encoded trusted root
-                                                  certificates. If not provided, the
-                                                  system roots are used.
-                                                type: string
-                                              subject:
-                                                description: Subject is the verified
-                                                  identity used for keyless signing,
-                                                  for example the email address
-                                                type: string
-                                            type: object
-                                          keys:
-                                            description: Keys specifies one or more
-                                              public keys
-                                            properties:
-                                              kms:
-                                                description: 'KMS provides the URI
-                                                  to the public key stored in a Key
-                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                type: string
-                                              publicKeys:
-                                                description: Keys is a set of X.509
-                                                  public keys used to verify image
-                                                  signatures. The keys can be directly
-                                                  specified or can be a variable reference
-                                                  to a key specified in a ConfigMap
-                                                  (see https://kyverno.io/docs/writing-policies/variables/),
-                                                  or reference a standard Kubernetes
-                                                  Secret elsewhere in the cluster
-                                                  by specifying it in the format "k8s:///".
-                                                  The named Secret must specify a
-                                                  key `cosign.pub` containing the
-                                                  public key used for verification,
-                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                  When multiple keys are specified
-                                                  each key is processed as a separate
-                                                  staticKey entry (.attestors[*].entries.keys)
-                                                  within the set of attestors and
-                                                  the count is applied across the
-                                                  keys.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              secret:
-                                                description: Reference to a Secret
-                                                  resource that contains a public
-                                                  key
-                                                properties:
-                                                  name:
-                                                    description: Name of the secret.
-                                                      The provided secret must contain
-                                                      a key named cosign.pub.
-                                                    type: string
-                                                  namespace:
-                                                    description: Namespace name where
-                                                      the Secret exists.
-                                                    type: string
-                                                required:
-                                                - name
-                                                - namespace
-                                                type: object
-                                              signatureAlgorithm:
-                                                default: sha256
-                                                description: Specify signature algorithm
-                                                  for public keys. Supported values
-                                                  are sha256 and sha512
-                                                type: string
-                                            type: object
-                                          repository:
-                                            description: Repository is an optional
-                                              alternate OCI repository to use for
-                                              signatures and attestations that match
-                                              this rule. If specified Repository will
-                                              override other OCI image repository
-                                              locations for this Attestor.
-                                            type: string
-                                        type: object
-                                      type: array
-                                  type: object
-                                type: array
-                              image:
-                                description: 'Image is the image name consisting of
-                                  the registry address, repository, image, and tag.
-                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-                                  Deprecated. Use ImageReferences instead.'
-                                type: string
-                              imageReferences:
-                                description: 'ImageReferences is a list of matching
-                                  image reference patterns. At least one pattern in
-                                  the list must match the image for the rule to apply.
-                                  Each image reference consists of a registry address
-                                  (defaults to docker.io), repository, image, and
-                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
-                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                items:
-                                  type: string
-                                type: array
-                              issuer:
-                                description: Issuer is the certificate issuer used
-                                  for keyless signing. Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              key:
-                                description: Key is the PEM encoded public key that
-                                  the image or attestation is signed with. Deprecated.
-                                  Use StaticKeyAttestor instead.
-                                type: string
-                              mutateDigest:
-                                default: true
-                                description: MutateDigest enables replacement of image
-                                  tags with digests. Defaults to true.
-                                type: boolean
-                              repository:
-                                description: Repository is an optional alternate OCI
-                                  repository to use for image signatures and attestations
-                                  that match this rule. If specified Repository will
-                                  override the default OCI image repository configured
-                                  for the installation. The repository can also be
-                                  overridden per Attestor or Attestation.
-                                type: string
-                              required:
-                                default: true
-                                description: Required validates that images are verified
-                                  i.e. have matched passed a signature or attestation
-                                  check.
-                                type: boolean
-                              roots:
-                                description: Roots is the PEM encoded Root certificate
-                                  chain used for keyless signing Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              subject:
-                                description: Subject is the identity used for keyless
-                                  signing, for example an email address Deprecated.
-                                  Use KeylessAttestor instead.
-                                type: string
-                              verifyDigest:
-                                default: true
-                                description: VerifyDigest validates that images have
-                                  a digest.
-                                type: boolean
-                            type: object
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              conditions:
-                description: Conditions is a list of conditions that apply to the
-                  policy
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              ready:
-                description: Ready indicates if the policy is ready to serve the admission
-                  request. Deprecated in favor of Conditions
-                type: boolean
-              rulecount:
-                description: RuleCount describes total number of rules in a policy
-                properties:
-                  generate:
-                    description: Count for generate rules in policy
-                    type: integer
-                  mutate:
-                    description: Count for mutate rules in policy
-                    type: integer
-                  validate:
-                    description: Count for validate rules in policy
-                    type: integer
-                  verifyimages:
-                    description: Count for verify image rules in policy
-                    type: integer
-                required:
-                - generate
-                - mutate
-                - validate
-                - verifyimages
-                type: object
-            required:
-            - ready
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
-  - additionalPrinterColumns:
-    - jsonPath: .spec.background
-      name: Background
-      type: boolean
-    - jsonPath: .spec.validationFailureAction
-      name: Validate Action
-      type: string
-    - jsonPath: .spec.failurePolicy
-      name: Failure Policy
-      priority: 1
-      type: string
-    - jsonPath: .status.ready
-      name: Ready
-      type: boolean
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    - jsonPath: .status.rulecount.validate
-      name: Validate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.mutate
-      name: Mutate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.generate
-      name: Generate
-      priority: 1
-      type: integer
-    - jsonPath: .status.rulecount.verifyimages
-      name: Verifyimages
-      priority: 1
-      type: integer
-    name: v2beta1
-    schema:
-      openAPIV3Schema:
-        description: 'Policy declares validation, mutation, and generation behaviors
-          for matching resources. See: https://kyverno.io/docs/writing-policies/ for
-          more information.'
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec defines policy behaviors and contains one or more rules.
-            properties:
-              applyRules:
-                description: ApplyRules controls how rules in a policy are applied.
-                  Rule are processed in the order of declaration. When set to `One`
-                  processing stops after a rule has been applied i.e. the rule matches
-                  and results in a pass, fail, or error. When set to `All` all rules
-                  in the policy are processed. The default is `All`.
-                enum:
-                - All
-                - One
-                type: string
-              background:
-                default: true
-                description: Background controls if rules are applied to existing
-                  resources during a background scan. Optional. Default value is "true".
-                  The value must be set to "false" if the policy rule uses variables
-                  that are only available in the admission review request (e.g. user
-                  name).
-                type: boolean
-              failurePolicy:
-                description: FailurePolicy defines how unexpected policy errors and
-                  webhook response timeout errors are handled. Rules within the same
-                  policy share the same failure behavior. Allowed values are Ignore
-                  or Fail. Defaults to Fail.
-                enum:
-                - Ignore
-                - Fail
-                type: string
-              generateExistingOnPolicyUpdate:
-                description: GenerateExistingOnPolicyUpdate controls whether to trigger
-                  generate rule in existing resources If is set to "true" generate
-                  rule will be triggered and applied to existing matched resources.
-                  Defaults to "false" if not specified.
-                type: boolean
-              mutateExistingOnPolicyUpdate:
-                description: MutateExistingOnPolicyUpdate controls if a mutateExisting
-                  policy is applied on policy events. Default value is "false".
-                type: boolean
-              rules:
-                description: Rules is a list of Rule instances. A Policy contains
-                  multiple rules and each rule can validate, mutate, or generate resources.
-                items:
-                  description: Rule defines a validation, mutation, or generation
-                    control for matching resources. Each rules contains a match declaration
-                    to select resources, and an optional exclude declaration to specify
-                    which resources to exclude.
-                  properties:
-                    context:
-                      description: Context defines variables and data sources that
-                        can be used during rule execution.
-                      items:
-                        description: ContextEntry adds variables and data sources
-                          to a rule Context. Either a ConfigMap reference or a APILookup
-                          must be provided.
-                        properties:
-                          apiCall:
-                            description: APICall is an HTTP request to the Kubernetes
-                              API server, or other JSON web service. The data returned
-                              is stored in the context with the name for the context
-                              entry.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the JSON response
-                                  returned from the server. For example a JMESPath
-                                  of "items | length(@)" applied to the API server
-                                  response for the URLPath "/apis/apps/v1/deployments"
-                                  will return the total count of deployments across
-                                  all namespaces.
-                                type: string
-                              service:
-                                description: Service is an API call to a JSON web
-                                  service
-                                properties:
-                                  caBundle:
-                                    description: CABundle is a PEM encoded CA bundle
-                                      which will be used to validate the server certificate.
-                                    type: string
-                                  data:
-                                    description: Data specifies the POST data sent
-                                      to the server.
-                                    items:
-                                      description: RequestData contains the HTTP POST
-                                        data
-                                      properties:
-                                        key:
-                                          description: Key is a unique identifier
-                                            for the data value
-                                          type: string
-                                        value:
-                                          description: Value is the data value
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      required:
-                                      - key
-                                      - value
-                                      type: object
-                                    type: array
-                                  requestType:
-                                    default: GET
-                                    description: Method is the HTTP request type (GET
-                                      or POST).
-                                    enum:
-                                    - GET
-                                    - POST
-                                    type: string
-                                  urlPath:
-                                    description: URL is the JSON web service URL.
-                                      The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                    type: string
-                                required:
-                                - requestType
-                                - urlPath
-                                type: object
-                              urlPath:
-                                description: URLPath is the URL path to be used in
-                                  the HTTP GET request to the Kubernetes API server
-                                  (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                  The format required is the same format used by the
-                                  `kubectl get --raw` command.
-                                type: string
-                            type: object
-                          configMap:
-                            description: ConfigMap is the ConfigMap reference.
-                            properties:
-                              name:
-                                description: Name is the ConfigMap name.
-                                type: string
-                              namespace:
-                                description: Namespace is the ConfigMap namespace.
-                                type: string
-                            required:
-                            - name
-                            type: object
-                          imageRegistry:
-                            description: ImageRegistry defines requests to an OCI/Docker
-                              V2 registry to fetch image details.
-                            properties:
-                              jmesPath:
-                                description: JMESPath is an optional JSON Match Expression
-                                  that can be used to transform the ImageData struct
-                                  returned as a result of processing the image reference.
-                                type: string
-                              reference:
-                                description: 'Reference is image reference to a container
-                                  image in the registry. Example: ghcr.io/kyverno/kyverno:latest'
-                                type: string
-                            required:
-                            - reference
-                            type: object
-                          name:
-                            description: Name is the variable name.
-                            type: string
-                          variable:
-                            description: Variable defines an arbitrary JMESPath context
-                              variable that can be defined inline.
-                            properties:
-                              default:
-                                description: Default is an optional arbitrary JSON
-                                  object that the variable may take if the JMESPath
-                                  expression evaluates to nil
-                                x-kubernetes-preserve-unknown-fields: true
-                              jmesPath:
-                                description: JMESPath is an optional JMESPath Expression
-                                  that can be used to transform the variable.
-                                type: string
-                              value:
-                                description: Value is any arbitrary JSON object representable
-                                  in YAML or JSON form.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                        type: object
-                      type: array
-                    exclude:
-                      description: ExcludeResources defines when this policy rule
-                        should not be applied. The exclude criteria can include resource
-                        information (e.g. kind, name, namespace, labels) and admission
-                        review request information like the name or role.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                      type: object
-                    generate:
-                      description: Generation is used to create new resources.
-                      properties:
-                        apiVersion:
-                          description: APIVersion specifies resource apiVersion.
-                          type: string
-                        clone:
-                          description: Clone specifies the source resource used to
-                            populate each generated resource. At most one of Data
-                            or Clone can be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          properties:
-                            name:
-                              description: Name specifies name of the resource.
-                              type: string
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                          type: object
-                        cloneList:
-                          description: CloneList specifies the list of source resource
-                            used to populate each generated resource.
-                          properties:
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            namespace:
-                              description: Namespace specifies source resource namespace.
-                              type: string
-                            selector:
-                              description: Selector is a label selector. Label keys
-                                and values in `matchLabels`. wildcard characters are
-                                not supported.
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        data:
-                          description: Data provides the resource declaration used
-                            to populate each generated resource. At most one of Data
-                            or Clone must be specified. If neither are provided, the
-                            generated resource will be created with default data only.
-                          x-kubernetes-preserve-unknown-fields: true
-                        kind:
-                          description: Kind specifies resource kind.
-                          type: string
-                        name:
-                          description: Name specifies the resource name.
-                          type: string
-                        namespace:
-                          description: Namespace specifies resource namespace.
-                          type: string
-                        synchronize:
-                          description: Synchronize controls if generated resources
-                            should be kept in-sync with their source resource. If
-                            Synchronize is set to "true" changes to generated resources
-                            will be overwritten with resource data from Data or the
-                            resource specified in the Clone declaration. Optional.
-                            Defaults to "false" if not specified.
-                          type: boolean
-                      type: object
-                    imageExtractors:
-                      additionalProperties:
-                        items:
-                          properties:
-                            key:
-                              description: Key is an optional name of the field within
-                                'path' that will be used to uniquely identify an image.
-                                Note - this field MUST be unique.
-                              type: string
-                            name:
-                              description: Name is the entry the image will be available
-                                under 'images.' in the context. If this field
-                                is not defined, image entries will appear under 'images.custom'.
-                              type: string
-                            path:
-                              description: Path is the path to the object containing
-                                the image field in a custom resource. It should be
-                                slash-separated. Each slash-separated key must be
-                                a valid YAML key or a wildcard '*'. Wildcard keys
-                                are expanded in case of arrays or objects.
-                              type: string
-                            value:
-                              description: Value is an optional name of the field
-                                within 'path' that points to the image URI. This is
-                                useful when a custom 'key' is also defined.
-                              type: string
-                          required:
-                          - path
-                          type: object
-                        type: array
-                      description: ImageExtractors defines a mapping from kinds to
-                        ImageExtractorConfigs. This config is only valid for verifyImages
-                        rules.
-                      type: object
-                    match:
-                      description: MatchResources defines when this policy rule should
-                        be applied. The match criteria can include resource information
-                        (e.g. kind, name, namespace, labels) and admission review
-                        request information like the user name or role. At least one
-                        kind is required.
-                      properties:
-                        all:
-                          description: All allows specifying resources which will
-                            be ANDed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                        any:
-                          description: Any allows specifying resources which will
-                            be ORed
-                          items:
-                            description: ResourceFilter allow users to "AND" or "OR"
-                              between resources
-                            properties:
-                              clusterRoles:
-                                description: ClusterRoles is the list of cluster-wide
-                                  role names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              resources:
-                                description: ResourceDescription contains information
-                                  about the resource being created or modified.
-                                properties:
-                                  annotations:
-                                    additionalProperties:
-                                      type: string
-                                    description: Annotations is a  map of annotations
-                                      (key-value pairs of type string). Annotation
-                                      keys and values support the wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (matches at least one character).
-                                    type: object
-                                  kinds:
-                                    description: Kinds is a list of resource kinds.
-                                    items:
-                                      type: string
-                                    type: array
-                                  name:
-                                    description: 'Name is the name of the resource.
-                                      The name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character). NOTE: "Name" is being deprecated
-                                      in favor of "Names".'
-                                    type: string
-                                  names:
-                                    description: Names are the names of the resources.
-                                      Each name supports wildcard characters "*" (matches
-                                      zero or many characters) and "?" (at least one
-                                      character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  namespaceSelector:
-                                    description: 'NamespaceSelector is a label selector
-                                      for the resource namespace. Label keys and values
-                                      in `matchLabels` support the wildcard characters
-                                      `*` (matches zero or many characters) and `?`
-                                      (matches one character).Wildcards allows writing
-                                      label selectors like ["storage.k8s.io/*": "*"].
-                                      Note that using ["*" : "*"] matches any key
-                                      and value but does not match an empty label
-                                      set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                  namespaces:
-                                    description: Namespaces is a list of namespaces
-                                      names. Each name supports wildcard characters
-                                      "*" (matches zero or many characters) and "?"
-                                      (at least one character).
-                                    items:
-                                      type: string
-                                    type: array
-                                  selector:
-                                    description: 'Selector is a label selector. Label
-                                      keys and values in `matchLabels` support the
-                                      wildcard characters `*` (matches zero or many
-                                      characters) and `?` (matches one character).
-                                      Wildcards allows writing label selectors like
-                                      ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                      : "*"] matches any key and value but does not
-                                      match an empty label set.'
-                                    properties:
-                                      matchExpressions:
-                                        description: matchExpressions is a list of
-                                          label selector requirements. The requirements
-                                          are ANDed.
-                                        items:
-                                          description: A label selector requirement
-                                            is a selector that contains values, a
-                                            key, and an operator that relates the
-                                            key and values.
-                                          properties:
-                                            key:
-                                              description: key is the label key that
-                                                the selector applies to.
-                                              type: string
-                                            operator:
-                                              description: operator represents a key's
-                                                relationship to a set of values. Valid
-                                                operators are In, NotIn, Exists and
-                                                DoesNotExist.
-                                              type: string
-                                            values:
-                                              description: values is an array of string
-                                                values. If the operator is In or NotIn,
-                                                the values array must be non-empty.
-                                                If the operator is Exists or DoesNotExist,
-                                                the values array must be empty. This
-                                                array is replaced during a strategic
-                                                merge patch.
-                                              items:
-                                                type: string
-                                              type: array
-                                          required:
-                                          - key
-                                          - operator
-                                          type: object
-                                        type: array
-                                      matchLabels:
-                                        additionalProperties:
-                                          type: string
-                                        description: matchLabels is a map of {key,value}
-                                          pairs. A single {key,value} in the matchLabels
-                                          map is equivalent to an element of matchExpressions,
-                                          whose key field is "key", the operator is
-                                          "In", and the values array contains only
-                                          "value". The requirements are ANDed.
-                                        type: object
-                                    type: object
-                                    x-kubernetes-map-type: atomic
-                                type: object
-                              roles:
-                                description: Roles is the list of namespaced role
-                                  names for the user.
-                                items:
-                                  type: string
-                                type: array
-                              subjects:
-                                description: Subjects is the list of subject names
-                                  like users, user groups, and service accounts.
-                                items:
-                                  description: Subject contains a reference to the
-                                    object or user identities a role binding applies
-                                    to.  This can either hold a direct API object
-                                    reference, or a value for non-objects such as
-                                    user and group names.
-                                  properties:
-                                    apiGroup:
-                                      description: APIGroup holds the API group of
-                                        the referenced subject. Defaults to "" for
-                                        ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io"
-                                        for User and Group subjects.
-                                      type: string
-                                    kind:
-                                      description: Kind of object being referenced.
-                                        Values defined by this API group are "User",
-                                        "Group", and "ServiceAccount". If the Authorizer
-                                        does not recognized the kind value, the Authorizer
-                                        should report an error.
-                                      type: string
-                                    name:
-                                      description: Name of the object being referenced.
-                                      type: string
-                                    namespace:
-                                      description: Namespace of the referenced object.  If
-                                        the object kind is non-namespace, such as
-                                        "User" or "Group", and this value is not empty
-                                        the Authorizer should report an error.
-                                      type: string
-                                  required:
-                                  - kind
-                                  - name
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                type: array
-                            type: object
-                          type: array
-                      type: object
-                    mutate:
-                      description: Mutation is used to modify matching resources.
-                      properties:
-                        foreach:
-                          description: ForEach applies mutation rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies mutation rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              patchStrategicMerge:
-                                description: PatchStrategicMerge is a strategic merge
-                                  patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                  and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                x-kubernetes-preserve-unknown-fields: true
-                              patchesJson6902:
-                                description: PatchesJSON6902 is a list of RFC 6902
-                                  JSON Patch declarations used to modify resources.
-                                  See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                type: string
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        patchStrategicMerge:
-                          description: PatchStrategicMerge is a strategic merge patch
-                            used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                          x-kubernetes-preserve-unknown-fields: true
-                        patchesJson6902:
-                          description: PatchesJSON6902 is a list of RFC 6902 JSON
-                            Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                            and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                          type: string
-                        targets:
-                          description: Targets defines the target resources to be
-                            mutated.
-                          items:
-                            properties:
-                              apiVersion:
-                                description: APIVersion specifies resource apiVersion.
-                                type: string
-                              kind:
-                                description: Kind specifies resource kind.
-                                type: string
-                              name:
-                                description: Name specifies the resource name.
-                                type: string
-                              namespace:
-                                description: Namespace specifies resource namespace.
-                                type: string
-                            type: object
-                          type: array
-                      type: object
-                    name:
-                      description: Name is a label to identify the rule, It must be
-                        unique within the policy.
-                      maxLength: 63
-                      type: string
-                    preconditions:
-                      description: 'Preconditions are used to determine if a policy
-                        rule should be applied by evaluating a set of conditions.
-                        The declaration can contain nested `any` or `all` statements.
-                        A direct list of conditions (without `any` or `all` statements
-                        is supported for backwards compatibility but See: https://kyverno.io/docs/writing-policies/preconditions/'
-                      properties:
-                        all:
-                          description: AllConditions enable variable-based conditional
-                            rule execution. This is useful for finer control of when
-                            an rule is applied. A condition can reference object data
-                            using JMESPath notation. Here, all of the conditions need
-                            to pass.
-                          items:
-                            properties:
-                              key:
-                                description: Key is the context entry (using JMESPath)
-                                  for conditional rule evaluation.
-                                x-kubernetes-preserve-unknown-fields: true
-                              operator:
-                                description: 'Operator is the conditional operation
-                                  to perform. Valid operators are: Equals, NotEquals,
-                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                                enum:
-                                - Equals
-                                - NotEquals
-                                - AnyIn
-                                - AllIn
-                                - AnyNotIn
-                                - AllNotIn
-                                - GreaterThanOrEquals
-                                - GreaterThan
-                                - LessThanOrEquals
-                                - LessThan
-                                - DurationGreaterThanOrEquals
-                                - DurationGreaterThan
-                                - DurationLessThanOrEquals
-                                - DurationLessThan
-                                type: string
-                              value:
-                                description: Value is the conditional value, or set
-                                  of values. The values can be fixed set or can be
-                                  variables declared using JMESPath.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        any:
-                          description: AnyConditions enable variable-based conditional
-                            rule execution. This is useful for finer control of when
-                            an rule is applied. A condition can reference object data
-                            using JMESPath notation. Here, at least one of the conditions
-                            need to pass.
-                          items:
-                            properties:
-                              key:
-                                description: Key is the context entry (using JMESPath)
-                                  for conditional rule evaluation.
-                                x-kubernetes-preserve-unknown-fields: true
-                              operator:
-                                description: 'Operator is the conditional operation
-                                  to perform. Valid operators are: Equals, NotEquals,
-                                  In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                  GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                  DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan'
-                                enum:
-                                - Equals
-                                - NotEquals
-                                - AnyIn
-                                - AllIn
-                                - AnyNotIn
-                                - AllNotIn
-                                - GreaterThanOrEquals
-                                - GreaterThan
-                                - LessThanOrEquals
-                                - LessThan
-                                - DurationGreaterThanOrEquals
-                                - DurationGreaterThan
-                                - DurationLessThanOrEquals
-                                - DurationLessThan
-                                type: string
-                              value:
-                                description: Value is the conditional value, or set
-                                  of values. The values can be fixed set or can be
-                                  variables declared using JMESPath.
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                      type: object
-                    validate:
-                      description: Validation is used to validate matching resources.
-                      properties:
-                        anyPattern:
-                          description: AnyPattern specifies list of validation patterns.
-                            At least one of the patterns must be satisfied for the
-                            validation rule to succeed.
-                          x-kubernetes-preserve-unknown-fields: true
-                        deny:
-                          description: Deny defines conditions used to pass or fail
-                            a validation rule.
-                          properties:
-                            conditions:
-                              description: 'Multiple conditions can be declared under
-                                an `any` or `all` statement. A direct list of conditions
-                                (without `any` or `all` statements) is also supported
-                                for backwards compatibility See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                              properties:
-                                all:
-                                  description: AllConditions enable variable-based
-                                    conditional rule execution. This is useful for
-                                    finer control of when an rule is applied. A condition
-                                    can reference object data using JMESPath notation.
-                                    Here, all of the conditions need to pass.
-                                  items:
-                                    properties:
-                                      key:
-                                        description: Key is the context entry (using
-                                          JMESPath) for conditional rule evaluation.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      operator:
-                                        description: 'Operator is the conditional
-                                          operation to perform. Valid operators are:
-                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
-                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                          GreaterThan, LessThanOrEquals, LessThan,
-                                          DurationGreaterThanOrEquals, DurationGreaterThan,
-                                          DurationLessThanOrEquals, DurationLessThan'
-                                        enum:
-                                        - Equals
-                                        - NotEquals
-                                        - AnyIn
-                                        - AllIn
-                                        - AnyNotIn
-                                        - AllNotIn
-                                        - GreaterThanOrEquals
-                                        - GreaterThan
-                                        - LessThanOrEquals
-                                        - LessThan
-                                        - DurationGreaterThanOrEquals
-                                        - DurationGreaterThan
-                                        - DurationLessThanOrEquals
-                                        - DurationLessThan
-                                        type: string
-                                      value:
-                                        description: Value is the conditional value,
-                                          or set of values. The values can be fixed
-                                          set or can be variables declared using JMESPath.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  type: array
-                                any:
-                                  description: AnyConditions enable variable-based
-                                    conditional rule execution. This is useful for
-                                    finer control of when an rule is applied. A condition
-                                    can reference object data using JMESPath notation.
-                                    Here, at least one of the conditions need to pass.
-                                  items:
-                                    properties:
-                                      key:
-                                        description: Key is the context entry (using
-                                          JMESPath) for conditional rule evaluation.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      operator:
-                                        description: 'Operator is the conditional
-                                          operation to perform. Valid operators are:
-                                          Equals, NotEquals, In, AnyIn, AllIn, NotIn,
-                                          AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                          GreaterThan, LessThanOrEquals, LessThan,
-                                          DurationGreaterThanOrEquals, DurationGreaterThan,
-                                          DurationLessThanOrEquals, DurationLessThan'
-                                        enum:
-                                        - Equals
-                                        - NotEquals
-                                        - AnyIn
-                                        - AllIn
-                                        - AnyNotIn
-                                        - AllNotIn
-                                        - GreaterThanOrEquals
-                                        - GreaterThan
-                                        - LessThanOrEquals
-                                        - LessThan
-                                        - DurationGreaterThanOrEquals
-                                        - DurationGreaterThan
-                                        - DurationLessThanOrEquals
-                                        - DurationLessThan
-                                        type: string
-                                      value:
-                                        description: Value is the conditional value,
-                                          or set of values. The values can be fixed
-                                          set or can be variables declared using JMESPath.
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  type: array
-                              type: object
-                          type: object
-                        foreach:
-                          description: ForEach applies validate rules to a list of
-                            sub-elements by creating a context for each entry in the
-                            list and looping over it to apply the specified logic.
-                          items:
-                            description: ForEach applies validate rules to a list
-                              of sub-elements by creating a context for each entry
-                              in the list and looping over it to apply the specified
-                              logic.
-                            properties:
-                              anyPattern:
-                                description: AnyPattern specifies list of validation
-                                  patterns. At least one of the patterns must be satisfied
-                                  for the validation rule to succeed.
-                                x-kubernetes-preserve-unknown-fields: true
-                              context:
-                                description: Context defines variables and data sources
-                                  that can be used during rule execution.
-                                items:
-                                  description: ContextEntry adds variables and data
-                                    sources to a rule Context. Either a ConfigMap
-                                    reference or a APILookup must be provided.
-                                  properties:
-                                    apiCall:
-                                      description: APICall is an HTTP request to the
-                                        Kubernetes API server, or other JSON web service.
-                                        The data returned is stored in the context
-                                        with the name for the context entry.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the JSON response returned from the server.
-                                            For example a JMESPath of "items | length(@)"
-                                            applied to the API server response for
-                                            the URLPath "/apis/apps/v1/deployments"
-                                            will return the total count of deployments
-                                            across all namespaces.
-                                          type: string
-                                        service:
-                                          description: Service is an API call to a
-                                            JSON web service
-                                          properties:
-                                            caBundle:
-                                              description: CABundle is a PEM encoded
-                                                CA bundle which will be used to validate
-                                                the server certificate.
-                                              type: string
-                                            data:
-                                              description: Data specifies the POST
-                                                data sent to the server.
-                                              items:
-                                                description: RequestData contains
-                                                  the HTTP POST data
-                                                properties:
-                                                  key:
-                                                    description: Key is a unique identifier
-                                                      for the data value
-                                                    type: string
-                                                  value:
-                                                    description: Value is the data
-                                                      value
-                                                    x-kubernetes-preserve-unknown-fields: true
-                                                required:
-                                                - key
-                                                - value
-                                                type: object
-                                              type: array
-                                            requestType:
-                                              default: GET
-                                              description: Method is the HTTP request
-                                                type (GET or POST).
-                                              enum:
-                                              - GET
-                                              - POST
-                                              type: string
-                                            urlPath:
-                                              description: URL is the JSON web service
-                                                URL. The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                              type: string
-                                          required:
-                                          - requestType
-                                          - urlPath
-                                          type: object
-                                        urlPath:
-                                          description: URLPath is the URL path to
-                                            be used in the HTTP GET request to the
-                                            Kubernetes API server (e.g. "/api/v1/namespaces"
-                                            or  "/apis/apps/v1/deployments"). The
-                                            format required is the same format used
-                                            by the `kubectl get --raw` command.
-                                          type: string
-                                      type: object
-                                    configMap:
-                                      description: ConfigMap is the ConfigMap reference.
-                                      properties:
-                                        name:
-                                          description: Name is the ConfigMap name.
-                                          type: string
-                                        namespace:
-                                          description: Namespace is the ConfigMap
-                                            namespace.
-                                          type: string
-                                      required:
-                                      - name
-                                      type: object
-                                    imageRegistry:
-                                      description: ImageRegistry defines requests
-                                        to an OCI/Docker V2 registry to fetch image
-                                        details.
-                                      properties:
-                                        jmesPath:
-                                          description: JMESPath is an optional JSON
-                                            Match Expression that can be used to transform
-                                            the ImageData struct returned as a result
-                                            of processing the image reference.
-                                          type: string
-                                        reference:
-                                          description: 'Reference is image reference
-                                            to a container image in the registry.
-                                            Example: ghcr.io/kyverno/kyverno:latest'
-                                          type: string
-                                      required:
-                                      - reference
-                                      type: object
-                                    name:
-                                      description: Name is the variable name.
-                                      type: string
-                                    variable:
-                                      description: Variable defines an arbitrary JMESPath
-                                        context variable that can be defined inline.
-                                      properties:
-                                        default:
-                                          description: Default is an optional arbitrary
-                                            JSON object that the variable may take
-                                            if the JMESPath expression evaluates to
-                                            nil
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        jmesPath:
-                                          description: JMESPath is an optional JMESPath
-                                            Expression that can be used to transform
-                                            the variable.
-                                          type: string
-                                        value:
-                                          description: Value is any arbitrary JSON
-                                            object representable in YAML or JSON form.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                  type: object
-                                type: array
-                              deny:
-                                description: Deny defines conditions used to pass
-                                  or fail a validation rule.
-                                properties:
-                                  conditions:
-                                    description: 'Multiple conditions can be declared
-                                      under an `any` or `all` statement. A direct
-                                      list of conditions (without `any` or `all` statements)
-                                      is also supported for backwards compatibility
-                                      but will be deprecated in the next major release.
-                                      See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              elementScope:
-                                description: ElementScope specifies whether to use
-                                  the current list element as the scope for validation.
-                                  Defaults to "true" if not specified. When set to
-                                  "false", "request.object" is used as the validation
-                                  scope within the foreach block to allow referencing
-                                  other elements in the subtree.
-                                type: boolean
-                              foreach:
-                                description: Foreach declares a nested foreach iterator
-                                x-kubernetes-preserve-unknown-fields: true
-                              list:
-                                description: List specifies a JMESPath expression
-                                  that results in one or more elements to which the
-                                  validation logic is applied.
-                                type: string
-                              pattern:
-                                description: Pattern specifies an overlay-style pattern
-                                  used to check resources.
-                                x-kubernetes-preserve-unknown-fields: true
-                              preconditions:
-                                description: 'AnyAllConditions are used to determine
-                                  if a policy rule should be applied by evaluating
-                                  a set of conditions. The declaration can contain
-                                  nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                properties:
-                                  all:
-                                    description: AllConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, all of the conditions need to
-                                      pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                  any:
-                                    description: AnyConditions enable variable-based
-                                      conditional rule execution. This is useful for
-                                      finer control of when an rule is applied. A
-                                      condition can reference object data using JMESPath
-                                      notation. Here, at least one of the conditions
-                                      need to pass
-                                    items:
-                                      description: Condition defines variable-based
-                                        conditional criteria for rule execution.
-                                      properties:
-                                        key:
-                                          description: Key is the context entry (using
-                                            JMESPath) for conditional rule evaluation.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        operator:
-                                          description: 'Operator is the conditional
-                                            operation to perform. Valid operators
-                                            are: Equals, NotEquals, In, AnyIn, AllIn,
-                                            NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals,
-                                            GreaterThan, LessThanOrEquals, LessThan,
-                                            DurationGreaterThanOrEquals, DurationGreaterThan,
-                                            DurationLessThanOrEquals, DurationLessThan'
-                                          enum:
-                                          - Equals
-                                          - NotEquals
-                                          - In
-                                          - AnyIn
-                                          - AllIn
-                                          - NotIn
-                                          - AnyNotIn
-                                          - AllNotIn
-                                          - GreaterThanOrEquals
-                                          - GreaterThan
-                                          - LessThanOrEquals
-                                          - LessThan
-                                          - DurationGreaterThanOrEquals
-                                          - DurationGreaterThan
-                                          - DurationLessThanOrEquals
-                                          - DurationLessThan
-                                          type: string
-                                        value:
-                                          description: Value is the conditional value,
-                                            or set of values. The values can be fixed
-                                            set or can be variables declared using
-                                            JMESPath.
-                                          x-kubernetes-preserve-unknown-fields: true
-                                      type: object
-                                    type: array
-                                type: object
-                                x-kubernetes-preserve-unknown-fields: true
-                            type: object
-                          type: array
-                        manifests:
-                          description: Manifest specifies conditions for manifest
-                            verification
-                          properties:
-                            annotationDomain:
-                              description: AnnotationDomain is custom domain of annotation
-                                for message and signature. Default is "cosign.sigstore.dev".
-                              type: string
-                            attestors:
-                              description: Attestors specified the required attestors
-                                (i.e. authorities)
-                              items:
-                                properties:
-                                  count:
-                                    description: Count specifies the required number
-                                      of entries that must match. If the count is
-                                      null, all entries must match (a logical AND).
-                                      If the count is 1, at least one entry must match
-                                      (a logical OR). If the count contains a value
-                                      N, then N must be less than or equal to the
-                                      size of entries, and at least N entries must
-                                      match.
-                                    minimum: 1
-                                    type: integer
-                                  entries:
-                                    description: Entries contains the available attestors.
-                                      An attestor can be a static key, attributes
-                                      for keyless verification, or a nested attestor
-                                      declaration.
-                                    items:
-                                      properties:
-                                        annotations:
-                                          additionalProperties:
-                                            type: string
-                                          description: Annotations are used for image
-                                            verification. Every specified key-value
-                                            pair must exist and match in the verified
-                                            payload. The payload may contain other
-                                            key-value pairs.
-                                          type: object
-                                        attestor:
-                                          description: Attestor is a nested AttestorSet
-                                            used to specify a more complex set of
-                                            match authorities
-                                          x-kubernetes-preserve-unknown-fields: true
-                                        certificates:
-                                          description: Certificates specifies one
-                                            or more certificates
-                                          properties:
-                                            cert:
-                                              description: Certificate is an optional
-                                                PEM encoded public certificate.
-                                              type: string
-                                            certChain:
-                                              description: CertificateChain is an
-                                                optional PEM encoded set of certificates
-                                                used to verify
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                          type: object
-                                        keyless:
-                                          description: Keyless is a set of attribute
-                                            used to verify a Sigstore keyless attestor.
-                                            See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                          properties:
-                                            additionalExtensions:
-                                              additionalProperties:
-                                                type: string
-                                              description: AdditionalExtensions are
-                                                certificate-extensions used for keyless
-                                                signing.
-                                              type: object
-                                            issuer:
-                                              description: Issuer is the certificate
-                                                issuer used for keyless signing.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked and a root certificate chain
-                                                is expected instead. If an empty object
-                                                is provided the public instance of
-                                                Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            roots:
-                                              description: Roots is an optional set
-                                                of PEM encoded trusted root certificates.
-                                                If not provided, the system roots
-                                                are used.
-                                              type: string
-                                            subject:
-                                              description: Subject is the verified
-                                                identity used for keyless signing,
-                                                for example the email address
-                                              type: string
-                                          type: object
-                                        keys:
-                                          description: Keys specifies one or more
-                                            public keys
-                                          properties:
-                                            kms:
-                                              description: 'KMS provides the URI to
-                                                the public key stored in a Key Management
-                                                System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                              type: string
-                                            publicKeys:
-                                              description: Keys is a set of X.509
-                                                public keys used to verify image signatures.
-                                                The keys can be directly specified
-                                                or can be a variable reference to
-                                                a key specified in a ConfigMap (see
-                                                https://kyverno.io/docs/writing-policies/variables/),
-                                                or reference a standard Kubernetes
-                                                Secret elsewhere in the cluster by
-                                                specifying it in the format "k8s:///".
-                                                The named Secret must specify a key
-                                                `cosign.pub` containing the public
-                                                key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                When multiple keys are specified each
-                                                key is processed as a separate staticKey
-                                                entry (.attestors[*].entries.keys)
-                                                within the set of attestors and the
-                                                count is applied across the keys.
-                                              type: string
-                                            rekor:
-                                              description: Rekor provides configuration
-                                                for the Rekor transparency log service.
-                                                If the value is nil, Rekor is not
-                                                checked. If an empty object is provided
-                                                the public instance of Rekor (https://rekor.sigstore.dev)
-                                                is used.
-                                              properties:
-                                                url:
-                                                  description: URL is the address
-                                                    of the transparency log. Defaults
-                                                    to the public log https://rekor.sigstore.dev.
-                                                  type: string
-                                              required:
-                                              - url
-                                              type: object
-                                            secret:
-                                              description: Reference to a Secret resource
-                                                that contains a public key
-                                              properties:
-                                                name:
-                                                  description: Name of the secret.
-                                                    The provided secret must contain
-                                                    a key named cosign.pub.
-                                                  type: string
-                                                namespace:
-                                                  description: Namespace name where
-                                                    the Secret exists.
-                                                  type: string
-                                              required:
-                                              - name
-                                              - namespace
-                                              type: object
-                                            signatureAlgorithm:
-                                              default: sha256
-                                              description: Specify signature algorithm
-                                                for public keys. Supported values
-                                                are sha256 and sha512
-                                              type: string
-                                          type: object
-                                        repository:
-                                          description: Repository is an optional alternate
-                                            OCI repository to use for signatures and
-                                            attestations that match this rule. If
-                                            specified Repository will override other
-                                            OCI image repository locations for this
-                                            Attestor.
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            dryRun:
-                              description: DryRun configuration
-                              properties:
-                                enable:
-                                  type: boolean
-                                namespace:
-                                  type: string
-                              type: object
-                            ignoreFields:
-                              description: Fields which will be ignored while comparing
-                                manifests.
-                              items:
-                                properties:
-                                  fields:
-                                    items:
-                                      type: string
-                                    type: array
-                                  objects:
-                                    items:
-                                      properties:
-                                        group:
-                                          type: string
-                                        kind:
-                                          type: string
-                                        name:
-                                          type: string
-                                        namespace:
-                                          type: string
-                                        version:
-                                          type: string
-                                      type: object
-                                    type: array
-                                type: object
-                              type: array
-                            repository:
-                              description: Repository is an optional alternate OCI
-                                repository to use for resource bundle reference. The
-                                repository can be overridden per Attestor or Attestation.
-                              type: string
-                          type: object
-                        message:
-                          description: Message specifies a custom message to be displayed
-                            on failure.
-                          type: string
-                        pattern:
-                          description: Pattern specifies an overlay-style pattern
-                            used to check resources.
-                          x-kubernetes-preserve-unknown-fields: true
-                        podSecurity:
-                          description: PodSecurity applies exemptions for Kubernetes
-                            Pod Security admission by specifying exclusions for Pod
-                            Security Standards controls.
-                          properties:
-                            exclude:
-                              description: Exclude specifies the Pod Security Standard
-                                controls to be excluded.
-                              items:
-                                description: PodSecurityStandard specifies the Pod
-                                  Security Standard controls to be excluded.
-                                properties:
-                                  controlName:
-                                    description: 'ControlName specifies the name of
-                                      the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                    enum:
-                                    - HostProcess
-                                    - Host Namespaces
-                                    - Privileged Containers
-                                    - Capabilities
-                                    - HostPath Volumes
-                                    - Host Ports
-                                    - AppArmor
-                                    - SELinux
-                                    - /proc Mount Type
-                                    - Seccomp
-                                    - Sysctls
-                                    - Volume Types
-                                    - Privilege Escalation
-                                    - Running as Non-root
-                                    - Running as Non-root user
-                                    type: string
-                                  images:
-                                    description: 'Images selects matching containers
-                                      and applies the container level PSS. Each image
-                                      is the image name consisting of the registry
-                                      address, repository, image, and tag. Empty list
-                                      matches no containers, PSS checks are applied
-                                      at the pod level only. Wildcards (''*'' and
-                                      ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                    items:
-                                      type: string
-                                    type: array
-                                required:
-                                - controlName
-                                type: object
-                              type: array
-                            level:
-                              description: Level defines the Pod Security Standard
-                                level to be applied to workloads. Allowed values are
-                                privileged, baseline, and restricted.
-                              enum:
-                              - privileged
-                              - baseline
-                              - restricted
-                              type: string
-                            version:
-                              description: Version defines the Pod Security Standard
-                                versions that Kubernetes supports. Allowed values
-                                are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25,
-                                latest. Defaults to latest.
-                              enum:
-                              - v1.19
-                              - v1.20
-                              - v1.21
-                              - v1.22
-                              - v1.23
-                              - v1.24
-                              - v1.25
-                              - latest
-                              type: string
-                          type: object
-                      type: object
-                    verifyImages:
-                      description: VerifyImages is used to verify image signatures
-                        and mutate them to add a digest
-                      items:
-                        description: ImageVerification validates that images that
-                          match the specified pattern are signed with the supplied
-                          public key. Once the image is verified it is mutated to
-                          include the SHA digest retrieved during the registration.
-                        properties:
-                          attestations:
-                            description: Attestations are optional checks for signed
-                              in-toto Statements used to verify the image. See https://github.com/in-toto/attestation.
-                              Kyverno fetches signed attestations from the OCI registry
-                              and decodes them into a list of Statement declarations.
-                            items:
-                              description: Attestation are checks for signed in-toto
-                                Statements that are used to verify the image. See
-                                https://github.com/in-toto/attestation. Kyverno fetches
-                                signed attestations from the OCI registry and decodes
-                                them into a list of Statements.
-                              properties:
-                                attestors:
-                                  description: Attestors specify the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                conditions:
-                                  description: Conditions are used to verify attributes
-                                    within a Predicate. If no Conditions are specified
-                                    the attestation check is satisfied as long there
-                                    are predicates that match the predicate type.
-                                  items:
-                                    description: AnyAllConditions consists of conditions
-                                      wrapped denoting a logical criteria to be fulfilled.
-                                      AnyConditions get fulfilled when at least one
-                                      of its sub-conditions passes. AllConditions
-                                      get fulfilled only when all of its sub-conditions
-                                      pass.
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                predicateType:
-                                  description: PredicateType defines the type of Predicate
-                                    contained within the Statement.
-                                  type: string
-                              required:
-                              - predicateType
-                              type: object
-                            type: array
-                          attestors:
-                            description: Attestors specified the required attestors
-                              (i.e. authorities)
-                            items:
-                              properties:
-                                count:
-                                  description: Count specifies the required number
-                                    of entries that must match. If the count is null,
-                                    all entries must match (a logical AND). If the
-                                    count is 1, at least one entry must match (a logical
-                                    OR). If the count contains a value N, then N must
-                                    be less than or equal to the size of entries,
-                                    and at least N entries must match.
-                                  minimum: 1
-                                  type: integer
-                                entries:
-                                  description: Entries contains the available attestors.
-                                    An attestor can be a static key, attributes for
-                                    keyless verification, or a nested attestor declaration.
-                                  items:
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations are used for image
-                                          verification. Every specified key-value
-                                          pair must exist and match in the verified
-                                          payload. The payload may contain other key-value
-                                          pairs.
-                                        type: object
-                                      attestor:
-                                        description: Attestor is a nested AttestorSet
-                                          used to specify a more complex set of match
-                                          authorities
-                                        x-kubernetes-preserve-unknown-fields: true
-                                      certificates:
-                                        description: Certificates specifies one or
-                                          more certificates
-                                        properties:
-                                          cert:
-                                            description: Certificate is an optional
-                                              PEM encoded public certificate.
-                                            type: string
-                                          certChain:
-                                            description: CertificateChain is an optional
-                                              PEM encoded set of certificates used
-                                              to verify
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                        type: object
-                                      keyless:
-                                        description: Keyless is a set of attribute
-                                          used to verify a Sigstore keyless attestor.
-                                          See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                        properties:
-                                          additionalExtensions:
-                                            additionalProperties:
-                                              type: string
-                                            description: AdditionalExtensions are
-                                              certificate-extensions used for keyless
-                                              signing.
-                                            type: object
-                                          issuer:
-                                            description: Issuer is the certificate
-                                              issuer used for keyless signing.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked
-                                              and a root certificate chain is expected
-                                              instead. If an empty object is provided
-                                              the public instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          roots:
-                                            description: Roots is an optional set
-                                              of PEM encoded trusted root certificates.
-                                              If not provided, the system roots are
-                                              used.
-                                            type: string
-                                          subject:
-                                            description: Subject is the verified identity
-                                              used for keyless signing, for example
-                                              the email address
-                                            type: string
-                                        type: object
-                                      keys:
-                                        description: Keys specifies one or more public
-                                          keys
-                                        properties:
-                                          kms:
-                                            description: 'KMS provides the URI to
-                                              the public key stored in a Key Management
-                                              System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                            type: string
-                                          publicKeys:
-                                            description: Keys is a set of X.509 public
-                                              keys used to verify image signatures.
-                                              The keys can be directly specified or
-                                              can be a variable reference to a key
-                                              specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                              or reference a standard Kubernetes Secret
-                                              elsewhere in the cluster by specifying
-                                              it in the format "k8s:///".
-                                              The named Secret must specify a key
-                                              `cosign.pub` containing the public key
-                                              used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                              When multiple keys are specified each
-                                              key is processed as a separate staticKey
-                                              entry (.attestors[*].entries.keys) within
-                                              the set of attestors and the count is
-                                              applied across the keys.
-                                            type: string
-                                          rekor:
-                                            description: Rekor provides configuration
-                                              for the Rekor transparency log service.
-                                              If the value is nil, Rekor is not checked.
-                                              If an empty object is provided the public
-                                              instance of Rekor (https://rekor.sigstore.dev)
-                                              is used.
-                                            properties:
-                                              url:
-                                                description: URL is the address of
-                                                  the transparency log. Defaults to
-                                                  the public log https://rekor.sigstore.dev.
-                                                type: string
-                                            required:
-                                            - url
-                                            type: object
-                                          secret:
-                                            description: Reference to a Secret resource
-                                              that contains a public key
-                                            properties:
-                                              name:
-                                                description: Name of the secret. The
-                                                  provided secret must contain a key
-                                                  named cosign.pub.
-                                                type: string
-                                              namespace:
-                                                description: Namespace name where
-                                                  the Secret exists.
-                                                type: string
-                                            required:
-                                            - name
-                                            - namespace
-                                            type: object
-                                          signatureAlgorithm:
-                                            default: sha256
-                                            description: Specify signature algorithm
-                                              for public keys. Supported values are
-                                              sha256 and sha512
-                                            type: string
-                                        type: object
-                                      repository:
-                                        description: Repository is an optional alternate
-                                          OCI repository to use for signatures and
-                                          attestations that match this rule. If specified
-                                          Repository will override other OCI image
-                                          repository locations for this Attestor.
-                                        type: string
-                                    type: object
-                                  type: array
-                              type: object
-                            type: array
-                          imageReferences:
-                            description: 'ImageReferences is a list of matching image
-                              reference patterns. At least one pattern in the list
-                              must match the image for the rule to apply. Each image
-                              reference consists of a registry address (defaults to
-                              docker.io), repository, image, and tag (defaults to
-                              latest). Wildcards (''*'' and ''?'') are allowed. See:
-                              https://kubernetes.io/docs/concepts/containers/images.'
-                            items:
-                              type: string
-                            type: array
-                          mutateDigest:
-                            default: true
-                            description: MutateDigest enables replacement of image
-                              tags with digests. Defaults to true.
-                            type: boolean
-                          repository:
-                            description: Repository is an optional alternate OCI repository
-                              to use for image signatures and attestations that match
-                              this rule. If specified Repository will override the
-                              default OCI image repository configured for the installation.
-                              The repository can also be overridden per Attestor or
-                              Attestation.
-                            type: string
-                          required:
-                            default: true
-                            description: Required validates that images are verified
-                              i.e. have matched passed a signature or attestation
-                              check.
-                            type: boolean
-                          verifyDigest:
-                            default: true
-                            description: VerifyDigest validates that images have a
-                              digest.
-                            type: boolean
-                        type: object
-                      type: array
-                  type: object
-                type: array
-              schemaValidation:
-                description: SchemaValidation skips validation checks for policies
-                  as well as patched resources. Optional. The default value is set
-                  to "true", it must be set to "false" to disable the validation checks.
-                type: boolean
-              validationFailureAction:
-                default: Audit
-                description: ValidationFailureAction defines if a validation policy
-                  rule violation should block the admission review request (enforce),
-                  or allow (audit) the admission review request and report an error
-                  in a policy report. Optional. Allowed values are audit or enforce.
-                  The default value is "Audit".
-                enum:
-                - audit
-                - enforce
-                - Audit
-                - Enforce
-                type: string
-              validationFailureActionOverrides:
-                description: ValidationFailureActionOverrides is a Cluster Policy
-                  attribute that specifies ValidationFailureAction namespace-wise.
-                  It overrides ValidationFailureAction for the specified namespaces.
-                items:
-                  properties:
-                    action:
-                      description: ValidationFailureAction defines the policy validation
-                        failure action
-                      enum:
-                      - audit
-                      - enforce
-                      - Audit
-                      - Enforce
-                      type: string
-                    namespaceSelector:
-                      description: A label selector is a label query over a set of
-                        resources. The result of matchLabels and matchExpressions
-                        are ANDed. An empty label selector matches all objects. A
-                        null label selector matches no objects.
-                      properties:
-                        matchExpressions:
-                          description: matchExpressions is a list of label selector
-                            requirements. The requirements are ANDed.
-                          items:
-                            description: A label selector requirement is a selector
-                              that contains values, a key, and an operator that relates
-                              the key and values.
-                            properties:
-                              key:
-                                description: key is the label key that the selector
-                                  applies to.
-                                type: string
-                              operator:
-                                description: operator represents a key's relationship
-                                  to a set of values. Valid operators are In, NotIn,
-                                  Exists and DoesNotExist.
-                                type: string
-                              values:
-                                description: values is an array of string values.
-                                  If the operator is In or NotIn, the values array
-                                  must be non-empty. If the operator is Exists or
-                                  DoesNotExist, the values array must be empty. This
-                                  array is replaced during a strategic merge patch.
-                                items:
-                                  type: string
-                                type: array
-                            required:
-                            - key
-                            - operator
-                            type: object
-                          type: array
-                        matchLabels:
-                          additionalProperties:
-                            type: string
-                          description: matchLabels is a map of {key,value} pairs.
-                            A single {key,value} in the matchLabels map is equivalent
-                            to an element of matchExpressions, whose key field is
-                            "key", the operator is "In", and the values array contains
-                            only "value". The requirements are ANDed.
-                          type: object
-                      type: object
-                      x-kubernetes-map-type: atomic
-                    namespaces:
-                      items:
-                        type: string
-                      type: array
-                  type: object
-                type: array
-              webhookTimeoutSeconds:
-                description: WebhookTimeoutSeconds specifies the maximum time in seconds
-                  allowed to apply this policy. After the configured time expires,
-                  the admission request may fail, or may simply ignore the policy
-                  results, based on the failure policy. The default timeout is 10s,
-                  the value must be between 1 and 30 seconds.
-                format: int32
-                type: integer
-            type: object
-          status:
-            description: Status contains policy runtime data.
-            properties:
-              autogen:
-                description: Autogen contains autogen status information
-                properties:
-                  rules:
-                    description: Rules is a list of Rule instances. It contains auto
-                      generated rules added for pod controllers
-                    items:
-                      description: Rule defines a validation, mutation, or generation
-                        control for matching resources. Each rules contains a match
-                        declaration to select resources, and an optional exclude declaration
-                        to specify which resources to exclude.
-                      properties:
-                        context:
-                          description: Context defines variables and data sources
-                            that can be used during rule execution.
-                          items:
-                            description: ContextEntry adds variables and data sources
-                              to a rule Context. Either a ConfigMap reference or a
-                              APILookup must be provided.
-                            properties:
-                              apiCall:
-                                description: APICall is an HTTP request to the Kubernetes
-                                  API server, or other JSON web service. The data
-                                  returned is stored in the context with the name
-                                  for the context entry.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      JSON response returned from the server. For
-                                      example a JMESPath of "items | length(@)" applied
-                                      to the API server response for the URLPath "/apis/apps/v1/deployments"
-                                      will return the total count of deployments across
-                                      all namespaces.
-                                    type: string
-                                  service:
-                                    description: Service is an API call to a JSON
-                                      web service
-                                    properties:
-                                      caBundle:
-                                        description: CABundle is a PEM encoded CA
-                                          bundle which will be used to validate the
-                                          server certificate.
-                                        type: string
-                                      data:
-                                        description: Data specifies the POST data
-                                          sent to the server.
-                                        items:
-                                          description: RequestData contains the HTTP
-                                            POST data
-                                          properties:
-                                            key:
-                                              description: Key is a unique identifier
-                                                for the data value
-                                              type: string
-                                            value:
-                                              description: Value is the data value
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          required:
-                                          - key
-                                          - value
-                                          type: object
-                                        type: array
-                                      requestType:
-                                        default: GET
-                                        description: Method is the HTTP request type
-                                          (GET or POST).
-                                        enum:
-                                        - GET
-                                        - POST
-                                        type: string
-                                      urlPath:
-                                        description: URL is the JSON web service URL.
-                                          The typical format is `https://{service}.{namespace}:{port}/{path}`.
-                                        type: string
-                                    required:
-                                    - requestType
-                                    - urlPath
-                                    type: object
-                                  urlPath:
-                                    description: URLPath is the URL path to be used
-                                      in the HTTP GET request to the Kubernetes API
-                                      server (e.g. "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                      The format required is the same format used
-                                      by the `kubectl get --raw` command.
-                                    type: string
-                                type: object
-                              configMap:
-                                description: ConfigMap is the ConfigMap reference.
-                                properties:
-                                  name:
-                                    description: Name is the ConfigMap name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace is the ConfigMap namespace.
-                                    type: string
-                                required:
-                                - name
-                                type: object
-                              imageRegistry:
-                                description: ImageRegistry defines requests to an
-                                  OCI/Docker V2 registry to fetch image details.
-                                properties:
-                                  jmesPath:
-                                    description: JMESPath is an optional JSON Match
-                                      Expression that can be used to transform the
-                                      ImageData struct returned as a result of processing
-                                      the image reference.
-                                    type: string
-                                  reference:
-                                    description: 'Reference is image reference to
-                                      a container image in the registry. Example:
-                                      ghcr.io/kyverno/kyverno:latest'
-                                    type: string
-                                required:
-                                - reference
-                                type: object
-                              name:
-                                description: Name is the variable name.
-                                type: string
-                              variable:
-                                description: Variable defines an arbitrary JMESPath
-                                  context variable that can be defined inline.
-                                properties:
-                                  default:
-                                    description: Default is an optional arbitrary
-                                      JSON object that the variable may take if the
-                                      JMESPath expression evaluates to nil
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  jmesPath:
-                                    description: JMESPath is an optional JMESPath
-                                      Expression that can be used to transform the
-                                      variable.
-                                    type: string
-                                  value:
-                                    description: Value is any arbitrary JSON object
-                                      representable in YAML or JSON form.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                            type: object
-                          type: array
-                        exclude:
-                          description: ExcludeResources defines when this policy rule
-                            should not be applied. The exclude criteria can include
-                            resource information (e.g. kind, name, namespace, labels)
-                            and admission review request information like the name
-                            or role.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        generate:
-                          description: Generation is used to create new resources.
-                          properties:
-                            apiVersion:
-                              description: APIVersion specifies resource apiVersion.
-                              type: string
-                            clone:
-                              description: Clone specifies the source resource used
-                                to populate each generated resource. At most one of
-                                Data or Clone can be specified. If neither are provided,
-                                the generated resource will be created with default
-                                data only.
-                              properties:
-                                name:
-                                  description: Name specifies name of the resource.
-                                  type: string
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                              type: object
-                            cloneList:
-                              description: CloneList specifies the list of source
-                                resource used to populate each generated resource.
-                              properties:
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                namespace:
-                                  description: Namespace specifies source resource
-                                    namespace.
-                                  type: string
-                                selector:
-                                  description: Selector is a label selector. Label
-                                    keys and values in `matchLabels`. wildcard characters
-                                    are not supported.
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            data:
-                              description: Data provides the resource declaration
-                                used to populate each generated resource. At most
-                                one of Data or Clone must be specified. If neither
-                                are provided, the generated resource will be created
-                                with default data only.
-                              x-kubernetes-preserve-unknown-fields: true
-                            kind:
-                              description: Kind specifies resource kind.
-                              type: string
-                            name:
-                              description: Name specifies the resource name.
-                              type: string
-                            namespace:
-                              description: Namespace specifies resource namespace.
-                              type: string
-                            synchronize:
-                              description: Synchronize controls if generated resources
-                                should be kept in-sync with their source resource.
-                                If Synchronize is set to "true" changes to generated
-                                resources will be overwritten with resource data from
-                                Data or the resource specified in the Clone declaration.
-                                Optional. Defaults to "false" if not specified.
-                              type: boolean
-                          type: object
-                        imageExtractors:
-                          additionalProperties:
-                            items:
-                              properties:
-                                key:
-                                  description: Key is an optional name of the field
-                                    within 'path' that will be used to uniquely identify
-                                    an image. Note - this field MUST be unique.
-                                  type: string
-                                name:
-                                  description: Name is the entry the image will be
-                                    available under 'images.' in the context.
-                                    If this field is not defined, image entries will
-                                    appear under 'images.custom'.
-                                  type: string
-                                path:
-                                  description: Path is the path to the object containing
-                                    the image field in a custom resource. It should
-                                    be slash-separated. Each slash-separated key must
-                                    be a valid YAML key or a wildcard '*'. Wildcard
-                                    keys are expanded in case of arrays or objects.
-                                  type: string
-                                value:
-                                  description: Value is an optional name of the field
-                                    within 'path' that points to the image URI. This
-                                    is useful when a custom 'key' is also defined.
-                                  type: string
-                              required:
-                              - path
-                              type: object
-                            type: array
-                          description: ImageExtractors defines a mapping from kinds
-                            to ImageExtractorConfigs. This config is only valid for
-                            verifyImages rules.
-                          type: object
-                        match:
-                          description: MatchResources defines when this policy rule
-                            should be applied. The match criteria can include resource
-                            information (e.g. kind, name, namespace, labels) and admission
-                            review request information like the user name or role.
-                            At least one kind is required.
-                          properties:
-                            all:
-                              description: All allows specifying resources which will
-                                be ANDed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            any:
-                              description: Any allows specifying resources which will
-                                be ORed
-                              items:
-                                description: ResourceFilter allow users to "AND" or
-                                  "OR" between resources
-                                properties:
-                                  clusterRoles:
-                                    description: ClusterRoles is the list of cluster-wide
-                                      role names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  resources:
-                                    description: ResourceDescription contains information
-                                      about the resource being created or modified.
-                                    properties:
-                                      annotations:
-                                        additionalProperties:
-                                          type: string
-                                        description: Annotations is a  map of annotations
-                                          (key-value pairs of type string). Annotation
-                                          keys and values support the wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (matches at least one character).
-                                        type: object
-                                      kinds:
-                                        description: Kinds is a list of resource kinds.
-                                        items:
-                                          type: string
-                                        type: array
-                                      name:
-                                        description: 'Name is the name of the resource.
-                                          The name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character). NOTE: "Name" is
-                                          being deprecated in favor of "Names".'
-                                        type: string
-                                      names:
-                                        description: Names are the names of the resources.
-                                          Each name supports wildcard characters "*"
-                                          (matches zero or many characters) and "?"
-                                          (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      namespaceSelector:
-                                        description: 'NamespaceSelector is a label
-                                          selector for the resource namespace. Label
-                                          keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character).Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                      namespaces:
-                                        description: Namespaces is a list of namespaces
-                                          names. Each name supports wildcard characters
-                                          "*" (matches zero or many characters) and
-                                          "?" (at least one character).
-                                        items:
-                                          type: string
-                                        type: array
-                                      selector:
-                                        description: 'Selector is a label selector.
-                                          Label keys and values in `matchLabels` support
-                                          the wildcard characters `*` (matches zero
-                                          or many characters) and `?` (matches one
-                                          character). Wildcards allows writing label
-                                          selectors like ["storage.k8s.io/*": "*"].
-                                          Note that using ["*" : "*"] matches any
-                                          key and value but does not match an empty
-                                          label set.'
-                                        properties:
-                                          matchExpressions:
-                                            description: matchExpressions is a list
-                                              of label selector requirements. The
-                                              requirements are ANDed.
-                                            items:
-                                              description: A label selector requirement
-                                                is a selector that contains values,
-                                                a key, and an operator that relates
-                                                the key and values.
-                                              properties:
-                                                key:
-                                                  description: key is the label key
-                                                    that the selector applies to.
-                                                  type: string
-                                                operator:
-                                                  description: operator represents
-                                                    a key's relationship to a set
-                                                    of values. Valid operators are
-                                                    In, NotIn, Exists and DoesNotExist.
-                                                  type: string
-                                                values:
-                                                  description: values is an array
-                                                    of string values. If the operator
-                                                    is In or NotIn, the values array
-                                                    must be non-empty. If the operator
-                                                    is Exists or DoesNotExist, the
-                                                    values array must be empty. This
-                                                    array is replaced during a strategic
-                                                    merge patch.
-                                                  items:
-                                                    type: string
-                                                  type: array
-                                              required:
-                                              - key
-                                              - operator
-                                              type: object
-                                            type: array
-                                          matchLabels:
-                                            additionalProperties:
-                                              type: string
-                                            description: matchLabels is a map of {key,value}
-                                              pairs. A single {key,value} in the matchLabels
-                                              map is equivalent to an element of matchExpressions,
-                                              whose key field is "key", the operator
-                                              is "In", and the values array contains
-                                              only "value". The requirements are ANDed.
-                                            type: object
-                                        type: object
-                                        x-kubernetes-map-type: atomic
-                                    type: object
-                                  roles:
-                                    description: Roles is the list of namespaced role
-                                      names for the user.
-                                    items:
-                                      type: string
-                                    type: array
-                                  subjects:
-                                    description: Subjects is the list of subject names
-                                      like users, user groups, and service accounts.
-                                    items:
-                                      description: Subject contains a reference to
-                                        the object or user identities a role binding
-                                        applies to.  This can either hold a direct
-                                        API object reference, or a value for non-objects
-                                        such as user and group names.
-                                      properties:
-                                        apiGroup:
-                                          description: APIGroup holds the API group
-                                            of the referenced subject. Defaults to
-                                            "" for ServiceAccount subjects. Defaults
-                                            to "rbac.authorization.k8s.io" for User
-                                            and Group subjects.
-                                          type: string
-                                        kind:
-                                          description: Kind of object being referenced.
-                                            Values defined by this API group are "User",
-                                            "Group", and "ServiceAccount". If the
-                                            Authorizer does not recognized the kind
-                                            value, the Authorizer should report an
-                                            error.
-                                          type: string
-                                        name:
-                                          description: Name of the object being referenced.
-                                          type: string
-                                        namespace:
-                                          description: Namespace of the referenced
-                                            object.  If the object kind is non-namespace,
-                                            such as "User" or "Group", and this value
-                                            is not empty the Authorizer should report
-                                            an error.
-                                          type: string
-                                      required:
-                                      - kind
-                                      - name
-                                      type: object
-                                      x-kubernetes-map-type: atomic
-                                    type: array
-                                type: object
-                              type: array
-                            clusterRoles:
-                              description: ClusterRoles is the list of cluster-wide
-                                role names for the user.
-                              items:
-                                type: string
-                              type: array
-                            resources:
-                              description: ResourceDescription contains information
-                                about the resource being created or modified. Requires
-                                at least one tag to be specified when under MatchResources.
-                                Specifying ResourceDescription directly under match
-                                is being deprecated. Please specify under "any" or
-                                "all" instead.
-                              properties:
-                                annotations:
-                                  additionalProperties:
-                                    type: string
-                                  description: Annotations is a  map of annotations
-                                    (key-value pairs of type string). Annotation keys
-                                    and values support the wildcard characters "*"
-                                    (matches zero or many characters) and "?" (matches
-                                    at least one character).
-                                  type: object
-                                kinds:
-                                  description: Kinds is a list of resource kinds.
-                                  items:
-                                    type: string
-                                  type: array
-                                name:
-                                  description: 'Name is the name of the resource.
-                                    The name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character). NOTE: "Name" is being deprecated in
-                                    favor of "Names".'
-                                  type: string
-                                names:
-                                  description: Names are the names of the resources.
-                                    Each name supports wildcard characters "*" (matches
-                                    zero or many characters) and "?" (at least one
-                                    character).
-                                  items:
-                                    type: string
-                                  type: array
-                                namespaceSelector:
-                                  description: 'NamespaceSelector is a label selector
-                                    for the resource namespace. Label keys and values
-                                    in `matchLabels` support the wildcard characters
-                                    `*` (matches zero or many characters) and `?`
-                                    (matches one character).Wildcards allows writing
-                                    label selectors like ["storage.k8s.io/*": "*"].
-                                    Note that using ["*" : "*"] matches any key and
-                                    value but does not match an empty label set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                                namespaces:
-                                  description: Namespaces is a list of namespaces
-                                    names. Each name supports wildcard characters
-                                    "*" (matches zero or many characters) and "?"
-                                    (at least one character).
-                                  items:
-                                    type: string
-                                  type: array
-                                selector:
-                                  description: 'Selector is a label selector. Label
-                                    keys and values in `matchLabels` support the wildcard
-                                    characters `*` (matches zero or many characters)
-                                    and `?` (matches one character). Wildcards allows
-                                    writing label selectors like ["storage.k8s.io/*":
-                                    "*"]. Note that using ["*" : "*"] matches any
-                                    key and value but does not match an empty label
-                                    set.'
-                                  properties:
-                                    matchExpressions:
-                                      description: matchExpressions is a list of label
-                                        selector requirements. The requirements are
-                                        ANDed.
-                                      items:
-                                        description: A label selector requirement
-                                          is a selector that contains values, a key,
-                                          and an operator that relates the key and
-                                          values.
-                                        properties:
-                                          key:
-                                            description: key is the label key that
-                                              the selector applies to.
-                                            type: string
-                                          operator:
-                                            description: operator represents a key's
-                                              relationship to a set of values. Valid
-                                              operators are In, NotIn, Exists and
-                                              DoesNotExist.
-                                            type: string
-                                          values:
-                                            description: values is an array of string
-                                              values. If the operator is In or NotIn,
-                                              the values array must be non-empty.
-                                              If the operator is Exists or DoesNotExist,
-                                              the values array must be empty. This
-                                              array is replaced during a strategic
-                                              merge patch.
-                                            items:
-                                              type: string
-                                            type: array
-                                        required:
-                                        - key
-                                        - operator
-                                        type: object
-                                      type: array
-                                    matchLabels:
-                                      additionalProperties:
-                                        type: string
-                                      description: matchLabels is a map of {key,value}
-                                        pairs. A single {key,value} in the matchLabels
-                                        map is equivalent to an element of matchExpressions,
-                                        whose key field is "key", the operator is
-                                        "In", and the values array contains only "value".
-                                        The requirements are ANDed.
-                                      type: object
-                                  type: object
-                                  x-kubernetes-map-type: atomic
-                              type: object
-                            roles:
-                              description: Roles is the list of namespaced role names
-                                for the user.
-                              items:
-                                type: string
-                              type: array
-                            subjects:
-                              description: Subjects is the list of subject names like
-                                users, user groups, and service accounts.
-                              items:
-                                description: Subject contains a reference to the object
-                                  or user identities a role binding applies to.  This
-                                  can either hold a direct API object reference, or
-                                  a value for non-objects such as user and group names.
-                                properties:
-                                  apiGroup:
-                                    description: APIGroup holds the API group of the
-                                      referenced subject. Defaults to "" for ServiceAccount
-                                      subjects. Defaults to "rbac.authorization.k8s.io"
-                                      for User and Group subjects.
-                                    type: string
-                                  kind:
-                                    description: Kind of object being referenced.
-                                      Values defined by this API group are "User",
-                                      "Group", and "ServiceAccount". If the Authorizer
-                                      does not recognized the kind value, the Authorizer
-                                      should report an error.
-                                    type: string
-                                  name:
-                                    description: Name of the object being referenced.
-                                    type: string
-                                  namespace:
-                                    description: Namespace of the referenced object.  If
-                                      the object kind is non-namespace, such as "User"
-                                      or "Group", and this value is not empty the
-                                      Authorizer should report an error.
-                                    type: string
-                                required:
-                                - kind
-                                - name
-                                type: object
-                                x-kubernetes-map-type: atomic
-                              type: array
-                          type: object
-                        mutate:
-                          description: Mutation is used to modify matching resources.
-                          properties:
-                            foreach:
-                              description: ForEach applies mutation rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies mutation rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  patchStrategicMerge:
-                                    description: PatchStrategicMerge is a strategic
-                                      merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  patchesJson6902:
-                                    description: PatchesJSON6902 is a list of RFC
-                                      6902 JSON Patch declarations used to modify
-                                      resources. See https://tools.ietf.org/html/rfc6902
-                                      and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                                    type: string
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            patchStrategicMerge:
-                              description: PatchStrategicMerge is a strategic merge
-                                patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/.
-                              x-kubernetes-preserve-unknown-fields: true
-                            patchesJson6902:
-                              description: PatchesJSON6902 is a list of RFC 6902 JSON
-                                Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902
-                                and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/.
-                              type: string
-                            targets:
-                              description: Targets defines the target resources to
-                                be mutated.
-                              items:
-                                properties:
-                                  apiVersion:
-                                    description: APIVersion specifies resource apiVersion.
-                                    type: string
-                                  kind:
-                                    description: Kind specifies resource kind.
-                                    type: string
-                                  name:
-                                    description: Name specifies the resource name.
-                                    type: string
-                                  namespace:
-                                    description: Namespace specifies resource namespace.
-                                    type: string
-                                type: object
-                              type: array
-                          type: object
-                        name:
-                          description: Name is a label to identify the rule, It must
-                            be unique within the policy.
-                          maxLength: 63
-                          type: string
-                        preconditions:
-                          description: 'Preconditions are used to determine if a policy
-                            rule should be applied by evaluating a set of conditions.
-                            The declaration can contain nested `any` or `all` statements.
-                            A direct list of conditions (without `any` or `all` statements
-                            is supported for backwards compatibility but will be deprecated
-                            in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                          x-kubernetes-preserve-unknown-fields: true
-                        validate:
-                          description: Validation is used to validate matching resources.
-                          properties:
-                            anyPattern:
-                              description: AnyPattern specifies list of validation
-                                patterns. At least one of the patterns must be satisfied
-                                for the validation rule to succeed.
-                              x-kubernetes-preserve-unknown-fields: true
-                            deny:
-                              description: Deny defines conditions used to pass or
-                                fail a validation rule.
-                              properties:
-                                conditions:
-                                  description: 'Multiple conditions can be declared
-                                    under an `any` or `all` statement. A direct list
-                                    of conditions (without `any` or `all` statements)
-                                    is also supported for backwards compatibility
-                                    but will be deprecated in the next major release.
-                                    See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                  x-kubernetes-preserve-unknown-fields: true
-                              type: object
-                            foreach:
-                              description: ForEach applies validate rules to a list
-                                of sub-elements by creating a context for each entry
-                                in the list and looping over it to apply the specified
-                                logic.
-                              items:
-                                description: ForEach applies validate rules to a list
-                                  of sub-elements by creating a context for each entry
-                                  in the list and looping over it to apply the specified
-                                  logic.
-                                properties:
-                                  anyPattern:
-                                    description: AnyPattern specifies list of validation
-                                      patterns. At least one of the patterns must
-                                      be satisfied for the validation rule to succeed.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  context:
-                                    description: Context defines variables and data
-                                      sources that can be used during rule execution.
-                                    items:
-                                      description: ContextEntry adds variables and
-                                        data sources to a rule Context. Either a ConfigMap
-                                        reference or a APILookup must be provided.
-                                      properties:
-                                        apiCall:
-                                          description: APICall is an HTTP request
-                                            to the Kubernetes API server, or other
-                                            JSON web service. The data returned is
-                                            stored in the context with the name for
-                                            the context entry.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the JSON response
-                                                returned from the server. For example
-                                                a JMESPath of "items | length(@)"
-                                                applied to the API server response
-                                                for the URLPath "/apis/apps/v1/deployments"
-                                                will return the total count of deployments
-                                                across all namespaces.
-                                              type: string
-                                            service:
-                                              description: Service is an API call
-                                                to a JSON web service
-                                              properties:
-                                                caBundle:
-                                                  description: CABundle is a PEM encoded
-                                                    CA bundle which will be used to
-                                                    validate the server certificate.
-                                                  type: string
-                                                data:
-                                                  description: Data specifies the
-                                                    POST data sent to the server.
-                                                  items:
-                                                    description: RequestData contains
-                                                      the HTTP POST data
-                                                    properties:
-                                                      key:
-                                                        description: Key is a unique
-                                                          identifier for the data
-                                                          value
-                                                        type: string
-                                                      value:
-                                                        description: Value is the
-                                                          data value
-                                                        x-kubernetes-preserve-unknown-fields: true
-                                                    required:
-                                                    - key
-                                                    - value
-                                                    type: object
-                                                  type: array
-                                                requestType:
-                                                  default: GET
-                                                  description: Method is the HTTP
-                                                    request type (GET or POST).
-                                                  enum:
-                                                  - GET
-                                                  - POST
-                                                  type: string
-                                                urlPath:
-                                                  description: URL is the JSON web
-                                                    service URL. The typical format
-                                                    is `https://{service}.{namespace}:{port}/{path}`.
-                                                  type: string
-                                              required:
-                                              - requestType
-                                              - urlPath
-                                              type: object
-                                            urlPath:
-                                              description: URLPath is the URL path
-                                                to be used in the HTTP GET request
-                                                to the Kubernetes API server (e.g.
-                                                "/api/v1/namespaces" or  "/apis/apps/v1/deployments").
-                                                The format required is the same format
-                                                used by the `kubectl get --raw` command.
-                                              type: string
-                                          type: object
-                                        configMap:
-                                          description: ConfigMap is the ConfigMap
-                                            reference.
-                                          properties:
-                                            name:
-                                              description: Name is the ConfigMap name.
-                                              type: string
-                                            namespace:
-                                              description: Namespace is the ConfigMap
-                                                namespace.
-                                              type: string
-                                          required:
-                                          - name
-                                          type: object
-                                        imageRegistry:
-                                          description: ImageRegistry defines requests
-                                            to an OCI/Docker V2 registry to fetch
-                                            image details.
-                                          properties:
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JSON Match Expression that can be
-                                                used to transform the ImageData struct
-                                                returned as a result of processing
-                                                the image reference.
-                                              type: string
-                                            reference:
-                                              description: 'Reference is image reference
-                                                to a container image in the registry.
-                                                Example: ghcr.io/kyverno/kyverno:latest'
-                                              type: string
-                                          required:
-                                          - reference
-                                          type: object
-                                        name:
-                                          description: Name is the variable name.
-                                          type: string
-                                        variable:
-                                          description: Variable defines an arbitrary
-                                            JMESPath context variable that can be
-                                            defined inline.
-                                          properties:
-                                            default:
-                                              description: Default is an optional
-                                                arbitrary JSON object that the variable
-                                                may take if the JMESPath expression
-                                                evaluates to nil
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            jmesPath:
-                                              description: JMESPath is an optional
-                                                JMESPath Expression that can be used
-                                                to transform the variable.
-                                              type: string
-                                            value:
-                                              description: Value is any arbitrary
-                                                JSON object representable in YAML
-                                                or JSON form.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                      type: object
-                                    type: array
-                                  deny:
-                                    description: Deny defines conditions used to pass
-                                      or fail a validation rule.
-                                    properties:
-                                      conditions:
-                                        description: 'Multiple conditions can be declared
-                                          under an `any` or `all` statement. A direct
-                                          list of conditions (without `any` or `all`
-                                          statements) is also supported for backwards
-                                          compatibility but will be deprecated in
-                                          the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules'
-                                        x-kubernetes-preserve-unknown-fields: true
-                                    type: object
-                                  elementScope:
-                                    description: ElementScope specifies whether to
-                                      use the current list element as the scope for
-                                      validation. Defaults to "true" if not specified.
-                                      When set to "false", "request.object" is used
-                                      as the validation scope within the foreach block
-                                      to allow referencing other elements in the subtree.
-                                    type: boolean
-                                  foreach:
-                                    description: Foreach declares a nested foreach
-                                      iterator
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  list:
-                                    description: List specifies a JMESPath expression
-                                      that results in one or more elements to which
-                                      the validation logic is applied.
-                                    type: string
-                                  pattern:
-                                    description: Pattern specifies an overlay-style
-                                      pattern used to check resources.
-                                    x-kubernetes-preserve-unknown-fields: true
-                                  preconditions:
-                                    description: 'AnyAllConditions are used to determine
-                                      if a policy rule should be applied by evaluating
-                                      a set of conditions. The declaration can contain
-                                      nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/'
-                                    properties:
-                                      all:
-                                        description: AllConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, all of the conditions
-                                          need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                      any:
-                                        description: AnyConditions enable variable-based
-                                          conditional rule execution. This is useful
-                                          for finer control of when an rule is applied.
-                                          A condition can reference object data using
-                                          JMESPath notation. Here, at least one of
-                                          the conditions need to pass
-                                        items:
-                                          description: Condition defines variable-based
-                                            conditional criteria for rule execution.
-                                          properties:
-                                            key:
-                                              description: Key is the context entry
-                                                (using JMESPath) for conditional rule
-                                                evaluation.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            operator:
-                                              description: 'Operator is the conditional
-                                                operation to perform. Valid operators
-                                                are: Equals, NotEquals, In, AnyIn,
-                                                AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                GreaterThanOrEquals, GreaterThan,
-                                                LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                DurationGreaterThan, DurationLessThanOrEquals,
-                                                DurationLessThan'
-                                              enum:
-                                              - Equals
-                                              - NotEquals
-                                              - In
-                                              - AnyIn
-                                              - AllIn
-                                              - NotIn
-                                              - AnyNotIn
-                                              - AllNotIn
-                                              - GreaterThanOrEquals
-                                              - GreaterThan
-                                              - LessThanOrEquals
-                                              - LessThan
-                                              - DurationGreaterThanOrEquals
-                                              - DurationGreaterThan
-                                              - DurationLessThanOrEquals
-                                              - DurationLessThan
-                                              type: string
-                                            value:
-                                              description: Value is the conditional
-                                                value, or set of values. The values
-                                                can be fixed set or can be variables
-                                                declared using JMESPath.
-                                              x-kubernetes-preserve-unknown-fields: true
-                                          type: object
-                                        type: array
-                                    type: object
-                                    x-kubernetes-preserve-unknown-fields: true
-                                type: object
-                              type: array
-                            manifests:
-                              description: Manifest specifies conditions for manifest
-                                verification
-                              properties:
-                                annotationDomain:
-                                  description: AnnotationDomain is custom domain of
-                                    annotation for message and signature. Default
-                                    is "cosign.sigstore.dev".
-                                  type: string
-                                attestors:
-                                  description: Attestors specified the required attestors
-                                    (i.e. authorities)
-                                  items:
-                                    properties:
-                                      count:
-                                        description: Count specifies the required
-                                          number of entries that must match. If the
-                                          count is null, all entries must match (a
-                                          logical AND). If the count is 1, at least
-                                          one entry must match (a logical OR). If
-                                          the count contains a value N, then N must
-                                          be less than or equal to the size of entries,
-                                          and at least N entries must match.
-                                        minimum: 1
-                                        type: integer
-                                      entries:
-                                        description: Entries contains the available
-                                          attestors. An attestor can be a static key,
-                                          attributes for keyless verification, or
-                                          a nested attestor declaration.
-                                        items:
-                                          properties:
-                                            annotations:
-                                              additionalProperties:
-                                                type: string
-                                              description: Annotations are used for
-                                                image verification. Every specified
-                                                key-value pair must exist and match
-                                                in the verified payload. The payload
-                                                may contain other key-value pairs.
-                                              type: object
-                                            attestor:
-                                              description: Attestor is a nested AttestorSet
-                                                used to specify a more complex set
-                                                of match authorities
-                                              x-kubernetes-preserve-unknown-fields: true
-                                            certificates:
-                                              description: Certificates specifies
-                                                one or more certificates
-                                              properties:
-                                                cert:
-                                                  description: Certificate is an optional
-                                                    PEM encoded public certificate.
-                                                  type: string
-                                                certChain:
-                                                  description: CertificateChain is
-                                                    an optional PEM encoded set of
-                                                    certificates used to verify
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                              type: object
-                                            keyless:
-                                              description: Keyless is a set of attribute
-                                                used to verify a Sigstore keyless
-                                                attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                              properties:
-                                                additionalExtensions:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: AdditionalExtensions
-                                                    are certificate-extensions used
-                                                    for keyless signing.
-                                                  type: object
-                                                issuer:
-                                                  description: Issuer is the certificate
-                                                    issuer used for keyless signing.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked and a root
-                                                    certificate chain is expected
-                                                    instead. If an empty object is
-                                                    provided the public instance of
-                                                    Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                roots:
-                                                  description: Roots is an optional
-                                                    set of PEM encoded trusted root
-                                                    certificates. If not provided,
-                                                    the system roots are used.
-                                                  type: string
-                                                subject:
-                                                  description: Subject is the verified
-                                                    identity used for keyless signing,
-                                                    for example the email address
-                                                  type: string
-                                              type: object
-                                            keys:
-                                              description: Keys specifies one or more
-                                                public keys
-                                              properties:
-                                                kms:
-                                                  description: 'KMS provides the URI
-                                                    to the public key stored in a
-                                                    Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                  type: string
-                                                publicKeys:
-                                                  description: Keys is a set of X.509
-                                                    public keys used to verify image
-                                                    signatures. The keys can be directly
-                                                    specified or can be a variable
-                                                    reference to a key specified in
-                                                    a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/),
-                                                    or reference a standard Kubernetes
-                                                    Secret elsewhere in the cluster
-                                                    by specifying it in the format
-                                                    "k8s:///".
-                                                    The named Secret must specify
-                                                    a key `cosign.pub` containing
-                                                    the public key used for verification,
-                                                    (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                    When multiple keys are specified
-                                                    each key is processed as a separate
-                                                    staticKey entry (.attestors[*].entries.keys)
-                                                    within the set of attestors and
-                                                    the count is applied across the
-                                                    keys.
-                                                  type: string
-                                                rekor:
-                                                  description: Rekor provides configuration
-                                                    for the Rekor transparency log
-                                                    service. If the value is nil,
-                                                    Rekor is not checked. If an empty
-                                                    object is provided the public
-                                                    instance of Rekor (https://rekor.sigstore.dev)
-                                                    is used.
-                                                  properties:
-                                                    url:
-                                                      description: URL is the address
-                                                        of the transparency log. Defaults
-                                                        to the public log https://rekor.sigstore.dev.
-                                                      type: string
-                                                  required:
-                                                  - url
-                                                  type: object
-                                                secret:
-                                                  description: Reference to a Secret
-                                                    resource that contains a public
-                                                    key
-                                                  properties:
-                                                    name:
-                                                      description: Name of the secret.
-                                                        The provided secret must contain
-                                                        a key named cosign.pub.
-                                                      type: string
-                                                    namespace:
-                                                      description: Namespace name
-                                                        where the Secret exists.
-                                                      type: string
-                                                  required:
-                                                  - name
-                                                  - namespace
-                                                  type: object
-                                                signatureAlgorithm:
-                                                  default: sha256
-                                                  description: Specify signature algorithm
-                                                    for public keys. Supported values
-                                                    are sha256 and sha512
-                                                  type: string
-                                              type: object
-                                            repository:
-                                              description: Repository is an optional
-                                                alternate OCI repository to use for
-                                                signatures and attestations that match
-                                                this rule. If specified Repository
-                                                will override other OCI image repository
-                                                locations for this Attestor.
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                dryRun:
-                                  description: DryRun configuration
-                                  properties:
-                                    enable:
-                                      type: boolean
-                                    namespace:
-                                      type: string
-                                  type: object
-                                ignoreFields:
-                                  description: Fields which will be ignored while
-                                    comparing manifests.
-                                  items:
-                                    properties:
-                                      fields:
-                                        items:
-                                          type: string
-                                        type: array
-                                      objects:
-                                        items:
-                                          properties:
-                                            group:
-                                              type: string
-                                            kind:
-                                              type: string
-                                            name:
-                                              type: string
-                                            namespace:
-                                              type: string
-                                            version:
-                                              type: string
-                                          type: object
-                                        type: array
-                                    type: object
-                                  type: array
-                                repository:
-                                  description: Repository is an optional alternate
-                                    OCI repository to use for resource bundle reference.
-                                    The repository can be overridden per Attestor
-                                    or Attestation.
-                                  type: string
-                              type: object
-                            message:
-                              description: Message specifies a custom message to be
-                                displayed on failure.
-                              type: string
-                            pattern:
-                              description: Pattern specifies an overlay-style pattern
-                                used to check resources.
-                              x-kubernetes-preserve-unknown-fields: true
-                            podSecurity:
-                              description: PodSecurity applies exemptions for Kubernetes
-                                Pod Security admission by specifying exclusions for
-                                Pod Security Standards controls.
-                              properties:
-                                exclude:
-                                  description: Exclude specifies the Pod Security
-                                    Standard controls to be excluded.
-                                  items:
-                                    description: PodSecurityStandard specifies the
-                                      Pod Security Standard controls to be excluded.
-                                    properties:
-                                      controlName:
-                                        description: 'ControlName specifies the name
-                                          of the Pod Security Standard control. See:
-                                          https://kubernetes.io/docs/concepts/security/pod-security-standards/'
-                                        enum:
-                                        - HostProcess
-                                        - Host Namespaces
-                                        - Privileged Containers
-                                        - Capabilities
-                                        - HostPath Volumes
-                                        - Host Ports
-                                        - AppArmor
-                                        - SELinux
-                                        - /proc Mount Type
-                                        - Seccomp
-                                        - Sysctls
-                                        - Volume Types
-                                        - Privilege Escalation
-                                        - Running as Non-root
-                                        - Running as Non-root user
-                                        type: string
-                                      images:
-                                        description: 'Images selects matching containers
-                                          and applies the container level PSS. Each
-                                          image is the image name consisting of the
-                                          registry address, repository, image, and
-                                          tag. Empty list matches no containers, PSS
-                                          checks are applied at the pod level only.
-                                          Wildcards (''*'' and ''?'') are allowed.
-                                          See: https://kubernetes.io/docs/concepts/containers/images.'
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - controlName
-                                    type: object
-                                  type: array
-                                level:
-                                  description: Level defines the Pod Security Standard
-                                    level to be applied to workloads. Allowed values
-                                    are privileged, baseline, and restricted.
-                                  enum:
-                                  - privileged
-                                  - baseline
-                                  - restricted
-                                  type: string
-                                version:
-                                  description: Version defines the Pod Security Standard
-                                    versions that Kubernetes supports. Allowed values
-                                    are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24,
-                                    v1.25, latest. Defaults to latest.
-                                  enum:
-                                  - v1.19
-                                  - v1.20
-                                  - v1.21
-                                  - v1.22
-                                  - v1.23
-                                  - v1.24
-                                  - v1.25
-                                  - latest
-                                  type: string
-                              type: object
-                          type: object
-                        verifyImages:
-                          description: VerifyImages is used to verify image signatures
-                            and mutate them to add a digest
-                          items:
-                            description: ImageVerification validates that images that
-                              match the specified pattern are signed with the supplied
-                              public key. Once the image is verified it is mutated
-                              to include the SHA digest retrieved during the registration.
-                            properties:
-                              additionalExtensions:
-                                additionalProperties:
-                                  type: string
-                                description: AdditionalExtensions are certificate-extensions
-                                  used for keyless signing. Deprecated.
-                                type: object
-                              annotations:
-                                additionalProperties:
-                                  type: string
-                                description: Annotations are used for image verification.
-                                  Every specified key-value pair must exist and match
-                                  in the verified payload. The payload may contain
-                                  other key-value pairs. Deprecated. Use annotations
-                                  per Attestor instead.
-                                type: object
-                              attestations:
-                                description: Attestations are optional checks for
-                                  signed in-toto Statements used to verify the image.
-                                  See https://github.com/in-toto/attestation. Kyverno
-                                  fetches signed attestations from the OCI registry
-                                  and decodes them into a list of Statement declarations.
-                                items:
-                                  description: Attestation are checks for signed in-toto
-                                    Statements that are used to verify the image.
-                                    See https://github.com/in-toto/attestation. Kyverno
-                                    fetches signed attestations from the OCI registry
-                                    and decodes them into a list of Statements.
-                                  properties:
-                                    attestors:
-                                      description: Attestors specify the required
-                                        attestors (i.e. authorities)
-                                      items:
-                                        properties:
-                                          count:
-                                            description: Count specifies the required
-                                              number of entries that must match. If
-                                              the count is null, all entries must
-                                              match (a logical AND). If the count
-                                              is 1, at least one entry must match
-                                              (a logical OR). If the count contains
-                                              a value N, then N must be less than
-                                              or equal to the size of entries, and
-                                              at least N entries must match.
-                                            minimum: 1
-                                            type: integer
-                                          entries:
-                                            description: Entries contains the available
-                                              attestors. An attestor can be a static
-                                              key, attributes for keyless verification,
-                                              or a nested attestor declaration.
-                                            items:
-                                              properties:
-                                                annotations:
-                                                  additionalProperties:
-                                                    type: string
-                                                  description: Annotations are used
-                                                    for image verification. Every
-                                                    specified key-value pair must
-                                                    exist and match in the verified
-                                                    payload. The payload may contain
-                                                    other key-value pairs.
-                                                  type: object
-                                                attestor:
-                                                  description: Attestor is a nested
-                                                    AttestorSet used to specify a
-                                                    more complex set of match authorities
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                certificates:
-                                                  description: Certificates specifies
-                                                    one or more certificates
-                                                  properties:
-                                                    cert:
-                                                      description: Certificate is
-                                                        an optional PEM encoded public
-                                                        certificate.
-                                                      type: string
-                                                    certChain:
-                                                      description: CertificateChain
-                                                        is an optional PEM encoded
-                                                        set of certificates used to
-                                                        verify
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                  type: object
-                                                keyless:
-                                                  description: Keyless is a set of
-                                                    attribute used to verify a Sigstore
-                                                    keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                                  properties:
-                                                    additionalExtensions:
-                                                      additionalProperties:
-                                                        type: string
-                                                      description: AdditionalExtensions
-                                                        are certificate-extensions
-                                                        used for keyless signing.
-                                                      type: object
-                                                    issuer:
-                                                      description: Issuer is the certificate
-                                                        issuer used for keyless signing.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked and a root
-                                                        certificate chain is expected
-                                                        instead. If an empty object
-                                                        is provided the public instance
-                                                        of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    roots:
-                                                      description: Roots is an optional
-                                                        set of PEM encoded trusted
-                                                        root certificates. If not
-                                                        provided, the system roots
-                                                        are used.
-                                                      type: string
-                                                    subject:
-                                                      description: Subject is the
-                                                        verified identity used for
-                                                        keyless signing, for example
-                                                        the email address
-                                                      type: string
-                                                  type: object
-                                                keys:
-                                                  description: Keys specifies one
-                                                    or more public keys
-                                                  properties:
-                                                    kms:
-                                                      description: 'KMS provides the
-                                                        URI to the public key stored
-                                                        in a Key Management System.
-                                                        See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                      type: string
-                                                    publicKeys:
-                                                      description: Keys is a set of
-                                                        X.509 public keys used to
-                                                        verify image signatures. The
-                                                        keys can be directly specified
-                                                        or can be a variable reference
-                                                        to a key specified in a ConfigMap
-                                                        (see https://kyverno.io/docs/writing-policies/variables/),
-                                                        or reference a standard Kubernetes
-                                                        Secret elsewhere in the cluster
-                                                        by specifying it in the format
-                                                        "k8s:///".
-                                                        The named Secret must specify
-                                                        a key `cosign.pub` containing
-                                                        the public key used for verification,
-                                                        (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                        When multiple keys are specified
-                                                        each key is processed as a
-                                                        separate staticKey entry (.attestors[*].entries.keys)
-                                                        within the set of attestors
-                                                        and the count is applied across
-                                                        the keys.
-                                                      type: string
-                                                    rekor:
-                                                      description: Rekor provides
-                                                        configuration for the Rekor
-                                                        transparency log service.
-                                                        If the value is nil, Rekor
-                                                        is not checked. If an empty
-                                                        object is provided the public
-                                                        instance of Rekor (https://rekor.sigstore.dev)
-                                                        is used.
-                                                      properties:
-                                                        url:
-                                                          description: URL is the
-                                                            address of the transparency
-                                                            log. Defaults to the public
-                                                            log https://rekor.sigstore.dev.
-                                                          type: string
-                                                      required:
-                                                      - url
-                                                      type: object
-                                                    secret:
-                                                      description: Reference to a
-                                                        Secret resource that contains
-                                                        a public key
-                                                      properties:
-                                                        name:
-                                                          description: Name of the
-                                                            secret. The provided secret
-                                                            must contain a key named
-                                                            cosign.pub.
-                                                          type: string
-                                                        namespace:
-                                                          description: Namespace name
-                                                            where the Secret exists.
-                                                          type: string
-                                                      required:
-                                                      - name
-                                                      - namespace
-                                                      type: object
-                                                    signatureAlgorithm:
-                                                      default: sha256
-                                                      description: Specify signature
-                                                        algorithm for public keys.
-                                                        Supported values are sha256
-                                                        and sha512
-                                                      type: string
-                                                  type: object
-                                                repository:
-                                                  description: Repository is an optional
-                                                    alternate OCI repository to use
-                                                    for signatures and attestations
-                                                    that match this rule. If specified
-                                                    Repository will override other
-                                                    OCI image repository locations
-                                                    for this Attestor.
-                                                  type: string
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    conditions:
-                                      description: Conditions are used to verify attributes
-                                        within a Predicate. If no Conditions are specified
-                                        the attestation check is satisfied as long
-                                        there are predicates that match the predicate
-                                        type.
-                                      items:
-                                        description: AnyAllConditions consists of
-                                          conditions wrapped denoting a logical criteria
-                                          to be fulfilled. AnyConditions get fulfilled
-                                          when at least one of its sub-conditions
-                                          passes. AllConditions get fulfilled only
-                                          when all of its sub-conditions pass.
-                                        properties:
-                                          all:
-                                            description: AllConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, all of the conditions need to
-                                              pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                          any:
-                                            description: AnyConditions enable variable-based
-                                              conditional rule execution. This is
-                                              useful for finer control of when an
-                                              rule is applied. A condition can reference
-                                              object data using JMESPath notation.
-                                              Here, at least one of the conditions
-                                              need to pass
-                                            items:
-                                              description: Condition defines variable-based
-                                                conditional criteria for rule execution.
-                                              properties:
-                                                key:
-                                                  description: Key is the context
-                                                    entry (using JMESPath) for conditional
-                                                    rule evaluation.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                                operator:
-                                                  description: 'Operator is the conditional
-                                                    operation to perform. Valid operators
-                                                    are: Equals, NotEquals, In, AnyIn,
-                                                    AllIn, NotIn, AnyNotIn, AllNotIn,
-                                                    GreaterThanOrEquals, GreaterThan,
-                                                    LessThanOrEquals, LessThan, DurationGreaterThanOrEquals,
-                                                    DurationGreaterThan, DurationLessThanOrEquals,
-                                                    DurationLessThan'
-                                                  enum:
-                                                  - Equals
-                                                  - NotEquals
-                                                  - In
-                                                  - AnyIn
-                                                  - AllIn
-                                                  - NotIn
-                                                  - AnyNotIn
-                                                  - AllNotIn
-                                                  - GreaterThanOrEquals
-                                                  - GreaterThan
-                                                  - LessThanOrEquals
-                                                  - LessThan
-                                                  - DurationGreaterThanOrEquals
-                                                  - DurationGreaterThan
-                                                  - DurationLessThanOrEquals
-                                                  - DurationLessThan
-                                                  type: string
-                                                value:
-                                                  description: Value is the conditional
-                                                    value, or set of values. The values
-                                                    can be fixed set or can be variables
-                                                    declared using JMESPath.
-                                                  x-kubernetes-preserve-unknown-fields: true
-                                              type: object
-                                            type: array
-                                        type: object
-                                      type: array
-                                    predicateType:
-                                      description: PredicateType defines the type
-                                        of Predicate contained within the Statement.
-                                      type: string
-                                  required:
-                                  - predicateType
-                                  type: object
-                                type: array
-                              attestors:
-                                description: Attestors specified the required attestors
-                                  (i.e. authorities)
-                                items:
-                                  properties:
-                                    count:
-                                      description: Count specifies the required number
-                                        of entries that must match. If the count is
-                                        null, all entries must match (a logical AND).
-                                        If the count is 1, at least one entry must
-                                        match (a logical OR). If the count contains
-                                        a value N, then N must be less than or equal
-                                        to the size of entries, and at least N entries
-                                        must match.
-                                      minimum: 1
-                                      type: integer
-                                    entries:
-                                      description: Entries contains the available
-                                        attestors. An attestor can be a static key,
-                                        attributes for keyless verification, or a
-                                        nested attestor declaration.
-                                      items:
-                                        properties:
-                                          annotations:
-                                            additionalProperties:
-                                              type: string
-                                            description: Annotations are used for
-                                              image verification. Every specified
-                                              key-value pair must exist and match
-                                              in the verified payload. The payload
-                                              may contain other key-value pairs.
-                                            type: object
-                                          attestor:
-                                            description: Attestor is a nested AttestorSet
-                                              used to specify a more complex set of
-                                              match authorities
-                                            x-kubernetes-preserve-unknown-fields: true
-                                          certificates:
-                                            description: Certificates specifies one
-                                              or more certificates
-                                            properties:
-                                              cert:
-                                                description: Certificate is an optional
-                                                  PEM encoded public certificate.
-                                                type: string
-                                              certChain:
-                                                description: CertificateChain is an
-                                                  optional PEM encoded set of certificates
-                                                  used to verify
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                            type: object
-                                          keyless:
-                                            description: Keyless is a set of attribute
-                                              used to verify a Sigstore keyless attestor.
-                                              See https://github.com/sigstore/cosign/blob/main/KEYLESS.md.
-                                            properties:
-                                              additionalExtensions:
-                                                additionalProperties:
-                                                  type: string
-                                                description: AdditionalExtensions
-                                                  are certificate-extensions used
-                                                  for keyless signing.
-                                                type: object
-                                              issuer:
-                                                description: Issuer is the certificate
-                                                  issuer used for keyless signing.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked and a root certificate chain
-                                                  is expected instead. If an empty
-                                                  object is provided the public instance
-                                                  of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              roots:
-                                                description: Roots is an optional
-                                                  set of PEM encoded trusted root
-                                                  certificates. If not provided, the
-                                                  system roots are used.
-                                                type: string
-                                              subject:
-                                                description: Subject is the verified
-                                                  identity used for keyless signing,
-                                                  for example the email address
-                                                type: string
-                                            type: object
-                                          keys:
-                                            description: Keys specifies one or more
-                                              public keys
-                                            properties:
-                                              kms:
-                                                description: 'KMS provides the URI
-                                                  to the public key stored in a Key
-                                                  Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md'
-                                                type: string
-                                              publicKeys:
-                                                description: Keys is a set of X.509
-                                                  public keys used to verify image
-                                                  signatures. The keys can be directly
-                                                  specified or can be a variable reference
-                                                  to a key specified in a ConfigMap
-                                                  (see https://kyverno.io/docs/writing-policies/variables/),
-                                                  or reference a standard Kubernetes
-                                                  Secret elsewhere in the cluster
-                                                  by specifying it in the format "k8s:///".
-                                                  The named Secret must specify a
-                                                  key `cosign.pub` containing the
-                                                  public key used for verification,
-                                                  (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret).
-                                                  When multiple keys are specified
-                                                  each key is processed as a separate
-                                                  staticKey entry (.attestors[*].entries.keys)
-                                                  within the set of attestors and
-                                                  the count is applied across the
-                                                  keys.
-                                                type: string
-                                              rekor:
-                                                description: Rekor provides configuration
-                                                  for the Rekor transparency log service.
-                                                  If the value is nil, Rekor is not
-                                                  checked. If an empty object is provided
-                                                  the public instance of Rekor (https://rekor.sigstore.dev)
-                                                  is used.
-                                                properties:
-                                                  url:
-                                                    description: URL is the address
-                                                      of the transparency log. Defaults
-                                                      to the public log https://rekor.sigstore.dev.
-                                                    type: string
-                                                required:
-                                                - url
-                                                type: object
-                                              secret:
-                                                description: Reference to a Secret
-                                                  resource that contains a public
-                                                  key
-                                                properties:
-                                                  name:
-                                                    description: Name of the secret.
-                                                      The provided secret must contain
-                                                      a key named cosign.pub.
-                                                    type: string
-                                                  namespace:
-                                                    description: Namespace name where
-                                                      the Secret exists.
-                                                    type: string
-                                                required:
-                                                - name
-                                                - namespace
-                                                type: object
-                                              signatureAlgorithm:
-                                                default: sha256
-                                                description: Specify signature algorithm
-                                                  for public keys. Supported values
-                                                  are sha256 and sha512
-                                                type: string
-                                            type: object
-                                          repository:
-                                            description: Repository is an optional
-                                              alternate OCI repository to use for
-                                              signatures and attestations that match
-                                              this rule. If specified Repository will
-                                              override other OCI image repository
-                                              locations for this Attestor.
-                                            type: string
-                                        type: object
-                                      type: array
-                                  type: object
-                                type: array
-                              image:
-                                description: 'Image is the image name consisting of
-                                  the registry address, repository, image, and tag.
-                                  Wildcards (''*'' and ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.
-                                  Deprecated. Use ImageReferences instead.'
-                                type: string
-                              imageReferences:
-                                description: 'ImageReferences is a list of matching
-                                  image reference patterns. At least one pattern in
-                                  the list must match the image for the rule to apply.
-                                  Each image reference consists of a registry address
-                                  (defaults to docker.io), repository, image, and
-                                  tag (defaults to latest). Wildcards (''*'' and ''?'')
-                                  are allowed. See: https://kubernetes.io/docs/concepts/containers/images.'
-                                items:
-                                  type: string
-                                type: array
-                              issuer:
-                                description: Issuer is the certificate issuer used
-                                  for keyless signing. Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              key:
-                                description: Key is the PEM encoded public key that
-                                  the image or attestation is signed with. Deprecated.
-                                  Use StaticKeyAttestor instead.
-                                type: string
-                              mutateDigest:
-                                default: true
-                                description: MutateDigest enables replacement of image
-                                  tags with digests. Defaults to true.
-                                type: boolean
-                              repository:
-                                description: Repository is an optional alternate OCI
-                                  repository to use for image signatures and attestations
-                                  that match this rule. If specified Repository will
-                                  override the default OCI image repository configured
-                                  for the installation. The repository can also be
-                                  overridden per Attestor or Attestation.
-                                type: string
-                              required:
-                                default: true
-                                description: Required validates that images are verified
-                                  i.e. have matched passed a signature or attestation
-                                  check.
-                                type: boolean
-                              roots:
-                                description: Roots is the PEM encoded Root certificate
-                                  chain used for keyless signing Deprecated. Use KeylessAttestor
-                                  instead.
-                                type: string
-                              subject:
-                                description: Subject is the identity used for keyless
-                                  signing, for example an email address Deprecated.
-                                  Use KeylessAttestor instead.
-                                type: string
-                              verifyDigest:
-                                default: true
-                                description: VerifyDigest validates that images have
-                                  a digest.
-                                type: boolean
-                            type: object
-                          type: array
-                      type: object
-                    type: array
-                type: object
-              conditions:
-                description: Conditions is a list of conditions that apply to the
-                  policy
-                items:
-                  description: "Condition contains details for one aspect of the current
-                    state of this API Resource. --- This struct is intended for direct
-                    use as an array at the field path .status.conditions.  For example,
-                    \n type FooStatus struct{ // Represents the observations of a
-                    foo's current state. // Known .status.conditions.type are: \"Available\",
-                    \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge
-                    // +listType=map // +listMapKey=type Conditions []metav1.Condition
-                    `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\"
-                    protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }"
-                  properties:
-                    lastTransitionTime:
-                      description: lastTransitionTime is the last time the condition
-                        transitioned from one status to another. This should be when
-                        the underlying condition changed.  If that is not known, then
-                        using the time when the API field changed is acceptable.
-                      format: date-time
-                      type: string
-                    message:
-                      description: message is a human readable message indicating
-                        details about the transition. This may be an empty string.
-                      maxLength: 32768
-                      type: string
-                    observedGeneration:
-                      description: observedGeneration represents the .metadata.generation
-                        that the condition was set based upon. For instance, if .metadata.generation
-                        is currently 12, but the .status.conditions[x].observedGeneration
-                        is 9, the condition is out of date with respect to the current
-                        state of the instance.
-                      format: int64
-                      minimum: 0
-                      type: integer
-                    reason:
-                      description: reason contains a programmatic identifier indicating
-                        the reason for the condition's last transition. Producers
-                        of specific condition types may define expected values and
-                        meanings for this field, and whether the values are considered
-                        a guaranteed API. The value should be a CamelCase string.
-                        This field may not be empty.
-                      maxLength: 1024
-                      minLength: 1
-                      pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
-                      type: string
-                    status:
-                      description: status of the condition, one of True, False, Unknown.
-                      enum:
-                      - "True"
-                      - "False"
-                      - Unknown
-                      type: string
-                    type:
-                      description: type of condition in CamelCase or in foo.example.com/CamelCase.
-                        --- Many .condition.type values are consistent across resources
-                        like Available, but because arbitrary conditions can be useful
-                        (see .node.status.conditions), the ability to deconflict is
-                        important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
-                      maxLength: 316
-                      pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
-                      type: string
-                  required:
-                  - lastTransitionTime
-                  - message
-                  - reason
-                  - status
-                  - type
-                  type: object
-                type: array
-              ready:
-                description: Ready indicates if the policy is ready to serve the admission
-                  request. Deprecated in favor of Conditions
-                type: boolean
-              rulecount:
-                description: RuleCount describes total number of rules in a policy
-                properties:
-                  generate:
-                    description: Count for generate rules in policy
-                    type: integer
-                  mutate:
-                    description: Count for mutate rules in policy
-                    type: integer
-                  validate:
-                    description: Count for validate rules in policy
-                    type: integer
-                  verifyimages:
-                    description: Count for verify image rules in policy
-                    type: integer
-                required:
-                - generate
-                - mutate
-                - validate
-                - verifyimages
-                type: object
-            required:
-            - ready
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: false
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: policyexceptions.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: PolicyException
-    listKind: PolicyExceptionList
-    plural: policyexceptions
-    shortNames:
-    - polex
-    singular: policyexception
-  scope: Namespaced
-  versions:
-  - name: v2alpha1
-    schema:
-      openAPIV3Schema:
-        description: PolicyException declares resources to be excluded from specified
-          policies.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec declares policy exception behaviors.
-            properties:
-              exceptions:
-                description: Exceptions is a list policy/rules to be excluded
-                items:
-                  description: Exception stores infos about a policy and rules
-                  properties:
-                    policyName:
-                      description: PolicyName identifies the policy to which the exception
-                        is applied. The policy name uses the format /
-                        unless it references a ClusterPolicy.
-                      type: string
-                    ruleNames:
-                      description: RuleNames identifies the rules to which the exception
-                        is applied.
-                      items:
-                        type: string
-                      type: array
-                  required:
-                  - policyName
-                  - ruleNames
-                  type: object
-                type: array
-              match:
-                description: Match defines match clause used to check if a resource
-                  applies to the exception
-                properties:
-                  all:
-                    description: All allows specifying resources which will be ANDed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                  any:
-                    description: Any allows specifying resources which will be ORed
-                    items:
-                      description: ResourceFilter allow users to "AND" or "OR" between
-                        resources
-                      properties:
-                        clusterRoles:
-                          description: ClusterRoles is the list of cluster-wide role
-                            names for the user.
-                          items:
-                            type: string
-                          type: array
-                        resources:
-                          description: ResourceDescription contains information about
-                            the resource being created or modified.
-                          properties:
-                            annotations:
-                              additionalProperties:
-                                type: string
-                              description: Annotations is a  map of annotations (key-value
-                                pairs of type string). Annotation keys and values
-                                support the wildcard characters "*" (matches zero
-                                or many characters) and "?" (matches at least one
-                                character).
-                              type: object
-                            kinds:
-                              description: Kinds is a list of resource kinds.
-                              items:
-                                type: string
-                              type: array
-                            name:
-                              description: 'Name is the name of the resource. The
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                                NOTE: "Name" is being deprecated in favor of "Names".'
-                              type: string
-                            names:
-                              description: Names are the names of the resources. Each
-                                name supports wildcard characters "*" (matches zero
-                                or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            namespaceSelector:
-                              description: 'NamespaceSelector is a label selector
-                                for the resource namespace. Label keys and values
-                                in `matchLabels` support the wildcard characters `*`
-                                (matches zero or many characters) and `?` (matches
-                                one character).Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                            namespaces:
-                              description: Namespaces is a list of namespaces names.
-                                Each name supports wildcard characters "*" (matches
-                                zero or many characters) and "?" (at least one character).
-                              items:
-                                type: string
-                              type: array
-                            selector:
-                              description: 'Selector is a label selector. Label keys
-                                and values in `matchLabels` support the wildcard characters
-                                `*` (matches zero or many characters) and `?` (matches
-                                one character). Wildcards allows writing label selectors
-                                like ["storage.k8s.io/*": "*"]. Note that using ["*"
-                                : "*"] matches any key and value but does not match
-                                an empty label set.'
-                              properties:
-                                matchExpressions:
-                                  description: matchExpressions is a list of label
-                                    selector requirements. The requirements are ANDed.
-                                  items:
-                                    description: A label selector requirement is a
-                                      selector that contains values, a key, and an
-                                      operator that relates the key and values.
-                                    properties:
-                                      key:
-                                        description: key is the label key that the
-                                          selector applies to.
-                                        type: string
-                                      operator:
-                                        description: operator represents a key's relationship
-                                          to a set of values. Valid operators are
-                                          In, NotIn, Exists and DoesNotExist.
-                                        type: string
-                                      values:
-                                        description: values is an array of string
-                                          values. If the operator is In or NotIn,
-                                          the values array must be non-empty. If the
-                                          operator is Exists or DoesNotExist, the
-                                          values array must be empty. This array is
-                                          replaced during a strategic merge patch.
-                                        items:
-                                          type: string
-                                        type: array
-                                    required:
-                                    - key
-                                    - operator
-                                    type: object
-                                  type: array
-                                matchLabels:
-                                  additionalProperties:
-                                    type: string
-                                  description: matchLabels is a map of {key,value}
-                                    pairs. A single {key,value} in the matchLabels
-                                    map is equivalent to an element of matchExpressions,
-                                    whose key field is "key", the operator is "In",
-                                    and the values array contains only "value". The
-                                    requirements are ANDed.
-                                  type: object
-                              type: object
-                              x-kubernetes-map-type: atomic
-                          type: object
-                        roles:
-                          description: Roles is the list of namespaced role names
-                            for the user.
-                          items:
-                            type: string
-                          type: array
-                        subjects:
-                          description: Subjects is the list of subject names like
-                            users, user groups, and service accounts.
-                          items:
-                            description: Subject contains a reference to the object
-                              or user identities a role binding applies to.  This
-                              can either hold a direct API object reference, or a
-                              value for non-objects such as user and group names.
-                            properties:
-                              apiGroup:
-                                description: APIGroup holds the API group of the referenced
-                                  subject. Defaults to "" for ServiceAccount subjects.
-                                  Defaults to "rbac.authorization.k8s.io" for User
-                                  and Group subjects.
-                                type: string
-                              kind:
-                                description: Kind of object being referenced. Values
-                                  defined by this API group are "User", "Group", and
-                                  "ServiceAccount". If the Authorizer does not recognized
-                                  the kind value, the Authorizer should report an
-                                  error.
-                                type: string
-                              name:
-                                description: Name of the object being referenced.
-                                type: string
-                              namespace:
-                                description: Namespace of the referenced object.  If
-                                  the object kind is non-namespace, such as "User"
-                                  or "Group", and this value is not empty the Authorizer
-                                  should report an error.
-                                type: string
-                            required:
-                            - kind
-                            - name
-                            type: object
-                            x-kubernetes-map-type: atomic
-                          type: array
-                      type: object
-                    type: array
-                type: object
-            required:
-            - exceptions
-            - match
-            type: object
-        required:
-        - spec
-        type: object
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: updaterequests.kyverno.io
-spec:
-  group: kyverno.io
-  names:
-    categories:
-    - kyverno
-    kind: UpdateRequest
-    listKind: UpdateRequestList
-    plural: updaterequests
-    shortNames:
-    - ur
-    singular: updaterequest
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .spec.policy
-      name: Policy
-      type: string
-    - jsonPath: .spec.requestType
-      name: RuleType
-      type: string
-    - jsonPath: .spec.resource.kind
-      name: ResourceKind
-      type: string
-    - jsonPath: .spec.resource.name
-      name: ResourceName
-      type: string
-    - jsonPath: .spec.resource.namespace
-      name: ResourceNamespace
-      type: string
-    - jsonPath: .status.state
-      name: status
-      type: string
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1beta1
-    schema:
-      openAPIV3Schema:
-        description: UpdateRequest is a request to process mutate and generate rules
-          in background.
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          spec:
-            description: Spec is the information to identify the update request.
-            properties:
-              context:
-                description: Context ...
-                properties:
-                  admissionRequestInfo:
-                    description: AdmissionRequestInfoObject stores the admission request
-                      and operation details
-                    properties:
-                      admissionRequest:
-                        description: AdmissionRequest describes the admission.Attributes
-                          for the admission request.
-                        properties:
-                          dryRun:
-                            description: DryRun indicates that modifications will
-                              definitely not be persisted for this request. Defaults
-                              to false.
-                            type: boolean
-                          kind:
-                            description: Kind is the fully-qualified type of object
-                              being submitted (for example, v1.Pod or autoscaling.v1.Scale)
-                            properties:
-                              group:
-                                type: string
-                              kind:
-                                type: string
-                              version:
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - version
-                            type: object
-                          name:
-                            description: Name is the name of the object as presented
-                              in the request.  On a CREATE operation, the client may
-                              omit name and rely on the server to generate the name.  If
-                              that is the case, this field will contain an empty string.
-                            type: string
-                          namespace:
-                            description: Namespace is the namespace associated with
-                              the request (if any).
-                            type: string
-                          object:
-                            description: Object is the object from the incoming request.
-                            type: object
-                            x-kubernetes-preserve-unknown-fields: true
-                          oldObject:
-                            description: OldObject is the existing object. Only populated
-                              for DELETE and UPDATE requests.
-                            type: object
-                            x-kubernetes-preserve-unknown-fields: true
-                          operation:
-                            description: Operation is the operation being performed.
-                              This may be different than the operation requested.
-                              e.g. a patch can result in either a CREATE or UPDATE
-                              Operation.
-                            type: string
-                          options:
-                            description: Options is the operation option structure
-                              of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions`
-                              or `meta.k8s.io/v1.CreateOptions`. This may be different
-                              than the options the caller provided. e.g. for a patch
-                              request the performed Operation might be a CREATE, in
-                              which case the Options will a `meta.k8s.io/v1.CreateOptions`
-                              even though the caller provided `meta.k8s.io/v1.PatchOptions`.
-                            type: object
-                            x-kubernetes-preserve-unknown-fields: true
-                          requestKind:
-                            description: "RequestKind is the fully-qualified type
-                              of the original API request (for example, v1.Pod or
-                              autoscaling.v1.Scale). If this is specified and differs
-                              from the value in \"kind\", an equivalent match and
-                              conversion was performed. \n For example, if deployments
-                              can be modified via apps/v1 and apps/v1beta1, and a
-                              webhook registered a rule of `apiGroups:[\"apps\"],
-                              apiVersions:[\"v1\"], resources: [\"deployments\"]`
-                              and `matchPolicy: Equivalent`, an API request to apps/v1beta1
-                              deployments would be converted and sent to the webhook
-                              with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}`
-                              (matching the rule the webhook registered for), and
-                              `requestKind: {group:\"apps\", version:\"v1beta1\",
-                              kind:\"Deployment\"}` (indicating the kind of the original
-                              API request). \n See documentation for the \"matchPolicy\"
-                              field in the webhook configuration type for more details."
-                            properties:
-                              group:
-                                type: string
-                              kind:
-                                type: string
-                              version:
-                                type: string
-                            required:
-                            - group
-                            - kind
-                            - version
-                            type: object
-                          requestResource:
-                            description: "RequestResource is the fully-qualified resource
-                              of the original API request (for example, v1.pods).
-                              If this is specified and differs from the value in \"resource\",
-                              an equivalent match and conversion was performed. \n
-                              For example, if deployments can be modified via apps/v1
-                              and apps/v1beta1, and a webhook registered a rule of
-                              `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources:
-                              [\"deployments\"]` and `matchPolicy: Equivalent`, an
-                              API request to apps/v1beta1 deployments would be converted
-                              and sent to the webhook with `resource: {group:\"apps\",
-                              version:\"v1\", resource:\"deployments\"}` (matching
-                              the resource the webhook registered for), and `requestResource:
-                              {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}`
-                              (indicating the resource of the original API request).
-                              \n See documentation for the \"matchPolicy\" field in
-                              the webhook configuration type."
-                            properties:
-                              group:
-                                type: string
-                              resource:
-                                type: string
-                              version:
-                                type: string
-                            required:
-                            - group
-                            - resource
-                            - version
-                            type: object
-                          requestSubResource:
-                            description: RequestSubResource is the name of the subresource
-                              of the original API request, if any (for example, "status"
-                              or "scale") If this is specified and differs from the
-                              value in "subResource", an equivalent match and conversion
-                              was performed. See documentation for the "matchPolicy"
-                              field in the webhook configuration type.
-                            type: string
-                          resource:
-                            description: Resource is the fully-qualified resource
-                              being requested (for example, v1.pods)
-                            properties:
-                              group:
-                                type: string
-                              resource:
-                                type: string
-                              version:
-                                type: string
-                            required:
-                            - group
-                            - resource
-                            - version
-                            type: object
-                          subResource:
-                            description: SubResource is the subresource being requested,
-                              if any (for example, "status" or "scale")
-                            type: string
-                          uid:
-                            description: UID is an identifier for the individual request/response.
-                              It allows us to distinguish instances of requests which
-                              are otherwise identical (parallel requests, requests
-                              when earlier requests did not modify etc) The UID is
-                              meant to track the round trip (request/response) between
-                              the KAS and the WebHook, not the user request. It is
-                              suitable for correlating log entries between the webhook
-                              and apiserver, for either auditing or debugging.
-                            type: string
-                          userInfo:
-                            description: UserInfo is information about the requesting
-                              user
-                            properties:
-                              extra:
-                                additionalProperties:
-                                  description: ExtraValue masks the value so protobuf
-                                    can generate
-                                  items:
-                                    type: string
-                                  type: array
-                                description: Any additional information provided by
-                                  the authenticator.
-                                type: object
-                              groups:
-                                description: The names of groups this user is a part
-                                  of.
-                                items:
-                                  type: string
-                                type: array
-                              uid:
-                                description: A unique value that identifies this user
-                                  across time. If this user is deleted and another
-                                  user by the same name is added, they will have different
-                                  UIDs.
-                                type: string
-                              username:
-                                description: The name that uniquely identifies this
-                                  user among all active users.
-                                type: string
-                            type: object
-                        required:
-                        - kind
-                        - operation
-                        - resource
-                        - uid
-                        - userInfo
-                        type: object
-                      operation:
-                        description: Operation is the type of resource operation being
-                          checked for admission control
-                        type: string
-                    type: object
-                  userInfo:
-                    description: RequestInfo contains permission info carried in an
-                      admission request.
-                    properties:
-                      clusterRoles:
-                        description: ClusterRoles is a list of possible clusterRoles
-                          send the request.
-                        items:
-                          type: string
-                        nullable: true
-                        type: array
-                      roles:
-                        description: Roles is a list of possible role send the request.
-                        items:
-                          type: string
-                        nullable: true
-                        type: array
-                      userInfo:
-                        description: UserInfo is the userInfo carried in the admission
-                          request.
-                        properties:
-                          extra:
-                            additionalProperties:
-                              description: ExtraValue masks the value so protobuf
-                                can generate
-                              items:
-                                type: string
-                              type: array
-                            description: Any additional information provided by the
-                              authenticator.
-                            type: object
-                          groups:
-                            description: The names of groups this user is a part of.
-                            items:
-                              type: string
-                            type: array
-                          uid:
-                            description: A unique value that identifies this user
-                              across time. If this user is deleted and another user
-                              by the same name is added, they will have different
-                              UIDs.
-                            type: string
-                          username:
-                            description: The name that uniquely identifies this user
-                              among all active users.
-                            type: string
-                        type: object
-                    type: object
-                type: object
-              policy:
-                description: Specifies the name of the policy.
-                type: string
-              requestType:
-                description: Type represents request type for background processing
-                enum:
-                - mutate
-                - generate
-                type: string
-              resource:
-                description: ResourceSpec is the information to identify the update
-                  request.
-                properties:
-                  apiVersion:
-                    description: APIVersion specifies resource apiVersion.
-                    type: string
-                  kind:
-                    description: Kind specifies resource kind.
-                    type: string
-                  name:
-                    description: Name specifies the resource name.
-                    type: string
-                  namespace:
-                    description: Namespace specifies resource namespace.
-                    type: string
-                type: object
-            required:
-            - context
-            - policy
-            - resource
-            type: object
-          status:
-            description: Status contains statistics related to update request.
-            properties:
-              generatedResources:
-                description: This will track the resources that are updated by the
-                  generate Policy. Will be used during clean up resources.
-                items:
-                  properties:
-                    apiVersion:
-                      description: APIVersion specifies resource apiVersion.
-                      type: string
-                    kind:
-                      description: Kind specifies resource kind.
-                      type: string
-                    name:
-                      description: Name specifies the resource name.
-                      type: string
-                    namespace:
-                      description: Namespace specifies resource namespace.
-                      type: string
-                  type: object
-                type: array
-              handler:
-                description: Handler represents the instance ID that handles the UR
-                type: string
-              message:
-                description: Specifies request status message.
-                type: string
-              state:
-                description: State represents state of the update request.
-                type: string
-            required:
-            - state
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources:
-      status: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: clusterpolicyreports.wgpolicyk8s.io
-spec:
-  group: wgpolicyk8s.io
-  names:
-    kind: ClusterPolicyReport
-    listKind: ClusterPolicyReportList
-    plural: clusterpolicyreports
-    shortNames:
-    - cpolr
-    singular: clusterpolicyreport
-  scope: Cluster
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .scope.kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .scope.name
-      name: Name
-      priority: 1
-      type: string
-    - jsonPath: .summary.pass
-      name: Pass
-      type: integer
-    - jsonPath: .summary.fail
-      name: Fail
-      type: integer
-    - jsonPath: .summary.warn
-      name: Warn
-      type: integer
-    - jsonPath: .summary.error
-      name: Error
-      type: integer
-    - jsonPath: .summary.skip
-      name: Skip
-      type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: ClusterPolicyReport is the Schema for the clusterpolicyreports
-          API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          results:
-            description: PolicyReportResult provides result details
-            items:
-              description: PolicyReportResult provides the result for an individual
-                policy
-              properties:
-                category:
-                  description: Category indicates policy category
-                  type: string
-                message:
-                  description: Description is a short user friendly message for the
-                    policy rule
-                  type: string
-                policy:
-                  description: Policy is the name or identifier of the policy
-                  type: string
-                properties:
-                  additionalProperties:
-                    type: string
-                  description: Properties provides additional information for the
-                    policy rule
-                  type: object
-                resourceSelector:
-                  description: SubjectSelector is an optional label selector for checked
-                    Kubernetes resources. For example, a policy result may apply to
-                    all pods that match a label. Either a Subject or a SubjectSelector
-                    can be specified. If neither are provided, the result is assumed
-                    to be for the policy report scope.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that
-                          contains values, a key, and an operator that relates the
-                          key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship
-                              to a set of values. Valid operators are In, NotIn, Exists
-                              and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the
-                              operator is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
-                        {key,value} in the matchLabels map is equivalent to an element
-                        of matchExpressions, whose key field is "key", the operator
-                        is "In", and the values array contains only "value". The requirements
-                        are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                resources:
-                  description: Subjects is an optional reference to the checked Kubernetes
-                    resources
-                  items:
-                    description: "ObjectReference contains enough information to let
-                      you inspect or modify the referred object. --- New uses of this
-                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs. 1. Ignored fields.  It includes many
-                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage. 2.
-                      Invalid usage help.  It is impossible to add specific help for
-                      individual usage.  In most embedded usages, there are particular
-                      restrictions like, \"must refer only to types A and B\" or \"UID
-                      not honored\" or \"name must be restricted\". Those cannot be
-                      well described when embedded. 3. Inconsistent validation.  Because
-                      the usages are different, the validation rules are different
-                      by usage, which makes it hard for users to predict what will
-                      happen. 4. The fields are both imprecise and overly precise.
-                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
-                      during interpretation and require a REST mapping.  In most cases,
-                      the dependency is on the group,resource tuple and the version
-                      of the actual struct is irrelevant. 5. We cannot easily change
-                      it.  Because this type is embedded in many locations, updates
-                      to this type will affect numerous schemas.  Don't make new APIs
-                      embed an underspecified API type they do not control. \n Instead
-                      of using this type, create a locally provided and used type
-                      that is well-focused on your reference. For example, ServiceReferences
-                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                      ."
-                    properties:
-                      apiVersion:
-                        description: API version of the referent.
-                        type: string
-                      fieldPath:
-                        description: 'If referring to a piece of an object instead
-                          of an entire object, this string should contain a valid
-                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                          For example, if the object reference is to a container within
-                          a pod, this would take on a value like: "spec.containers{name}"
-                          (where "name" refers to the name of the container that triggered
-                          the event) or if no container name is specified "spec.containers[2]"
-                          (container with index 2 in this pod). This syntax is chosen
-                          only to have some well-defined way of referencing a part
-                          of an object. TODO: this design is not final and this field
-                          is subject to change in the future.'
-                        type: string
-                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                        type: string
-                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                        type: string
-                      resourceVersion:
-                        description: 'Specific resourceVersion to which this reference
-                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                        type: string
-                      uid:
-                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                        type: string
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                result:
-                  description: Result indicates the outcome of the policy rule execution
-                  enum:
-                  - pass
-                  - fail
-                  - warn
-                  - error
-                  - skip
-                  type: string
-                rule:
-                  description: Rule is the name or identifier of the rule within the
-                    policy
-                  type: string
-                scored:
-                  description: Scored indicates if this result is scored
-                  type: boolean
-                severity:
-                  description: Severity indicates policy check result criticality
-                  enum:
-                  - critical
-                  - high
-                  - low
-                  - medium
-                  - info
-                  type: string
-                source:
-                  description: Source is an identifier for the policy engine that
-                    manages this report
-                  type: string
-                timestamp:
-                  description: Timestamp indicates the time the result was found
-                  properties:
-                    nanos:
-                      description: Non-negative fractions of a second at nanosecond
-                        resolution. Negative second values with fractions must still
-                        have non-negative nanos values that count forward in time.
-                        Must be from 0 to 999,999,999 inclusive. This field may be
-                        limited in precision depending on context.
-                      format: int32
-                      type: integer
-                    seconds:
-                      description: Represents seconds of UTC time since Unix epoch
-                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-                        9999-12-31T23:59:59Z inclusive.
-                      format: int64
-                      type: integer
-                  required:
-                  - nanos
-                  - seconds
-                  type: object
-              required:
-              - policy
-              type: object
-            type: array
-          scope:
-            description: Scope is an optional reference to the report scope (e.g.
-              a Deployment, Namespace, or Node)
-            properties:
-              apiVersion:
-                description: API version of the referent.
-                type: string
-              fieldPath:
-                description: 'If referring to a piece of an object instead of an entire
-                  object, this string should contain a valid JSON/Go field access
-                  statement, such as desiredState.manifest.containers[2]. For example,
-                  if the object reference is to a container within a pod, this would
-                  take on a value like: "spec.containers{name}" (where "name" refers
-                  to the name of the container that triggered the event) or if no
-                  container name is specified "spec.containers[2]" (container with
-                  index 2 in this pod). This syntax is chosen only to have some well-defined
-                  way of referencing a part of an object. TODO: this design is not
-                  final and this field is subject to change in the future.'
-                type: string
-              kind:
-                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                type: string
-              name:
-                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                type: string
-              namespace:
-                description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                type: string
-              resourceVersion:
-                description: 'Specific resourceVersion to which this reference is
-                  made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                type: string
-              uid:
-                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                type: string
-            type: object
-            x-kubernetes-map-type: atomic
-          scopeSelector:
-            description: ScopeSelector is an optional selector for multiple scopes
-              (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
-              should be specified.
-            properties:
-              matchExpressions:
-                description: matchExpressions is a list of label selector requirements.
-                  The requirements are ANDed.
-                items:
-                  description: A label selector requirement is a selector that contains
-                    values, a key, and an operator that relates the key and values.
-                  properties:
-                    key:
-                      description: key is the label key that the selector applies
-                        to.
-                      type: string
-                    operator:
-                      description: operator represents a key's relationship to a set
-                        of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                      type: string
-                    values:
-                      description: values is an array of string values. If the operator
-                        is In or NotIn, the values array must be non-empty. If the
-                        operator is Exists or DoesNotExist, the values array must
-                        be empty. This array is replaced during a strategic merge
-                        patch.
-                      items:
-                        type: string
-                      type: array
-                  required:
-                  - key
-                  - operator
-                  type: object
-                type: array
-              matchLabels:
-                additionalProperties:
-                  type: string
-                description: matchLabels is a map of {key,value} pairs. A single {key,value}
-                  in the matchLabels map is equivalent to an element of matchExpressions,
-                  whose key field is "key", the operator is "In", and the values array
-                  contains only "value". The requirements are ANDed.
-                type: object
-            type: object
-            x-kubernetes-map-type: atomic
-          summary:
-            description: PolicyReportSummary provides a summary of results
-            properties:
-              error:
-                description: Error provides the count of policies that could not be
-                  evaluated
-                type: integer
-              fail:
-                description: Fail provides the count of policies whose requirements
-                  were not met
-                type: integer
-              pass:
-                description: Pass provides the count of policies whose requirements
-                  were met
-                type: integer
-              skip:
-                description: Skip indicates the count of policies that were not selected
-                  for evaluation
-                type: integer
-              warn:
-                description: Warn provides the count of non-scored policies whose
-                  requirements were not met
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources: {}
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  annotations:
-    controller-gen.kubebuilder.io/version: v0.11.1
-    {{- with .Values.crds.annotations }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-  labels:
-    {{- include "kyverno.crdLabels" . | nindent 4 }}
-  name: policyreports.wgpolicyk8s.io
-spec:
-  group: wgpolicyk8s.io
-  names:
-    kind: PolicyReport
-    listKind: PolicyReportList
-    plural: policyreports
-    shortNames:
-    - polr
-    singular: policyreport
-  scope: Namespaced
-  versions:
-  - additionalPrinterColumns:
-    - jsonPath: .scope.kind
-      name: Kind
-      priority: 1
-      type: string
-    - jsonPath: .scope.name
-      name: Name
-      priority: 1
-      type: string
-    - jsonPath: .summary.pass
-      name: Pass
-      type: integer
-    - jsonPath: .summary.fail
-      name: Fail
-      type: integer
-    - jsonPath: .summary.warn
-      name: Warn
-      type: integer
-    - jsonPath: .summary.error
-      name: Error
-      type: integer
-    - jsonPath: .summary.skip
-      name: Skip
-      type: integer
-    - jsonPath: .metadata.creationTimestamp
-      name: Age
-      type: date
-    name: v1alpha2
-    schema:
-      openAPIV3Schema:
-        description: PolicyReport is the Schema for the policyreports API
-        properties:
-          apiVersion:
-            description: 'APIVersion defines the versioned schema of this representation
-              of an object. Servers should convert recognized schemas to the latest
-              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
-            type: string
-          kind:
-            description: 'Kind is a string value representing the REST resource this
-              object represents. Servers may infer this from the endpoint the client
-              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-            type: string
-          metadata:
-            type: object
-          results:
-            description: PolicyReportResult provides result details
-            items:
-              description: PolicyReportResult provides the result for an individual
-                policy
-              properties:
-                category:
-                  description: Category indicates policy category
-                  type: string
-                message:
-                  description: Description is a short user friendly message for the
-                    policy rule
-                  type: string
-                policy:
-                  description: Policy is the name or identifier of the policy
-                  type: string
-                properties:
-                  additionalProperties:
-                    type: string
-                  description: Properties provides additional information for the
-                    policy rule
-                  type: object
-                resourceSelector:
-                  description: SubjectSelector is an optional label selector for checked
-                    Kubernetes resources. For example, a policy result may apply to
-                    all pods that match a label. Either a Subject or a SubjectSelector
-                    can be specified. If neither are provided, the result is assumed
-                    to be for the policy report scope.
-                  properties:
-                    matchExpressions:
-                      description: matchExpressions is a list of label selector requirements.
-                        The requirements are ANDed.
-                      items:
-                        description: A label selector requirement is a selector that
-                          contains values, a key, and an operator that relates the
-                          key and values.
-                        properties:
-                          key:
-                            description: key is the label key that the selector applies
-                              to.
-                            type: string
-                          operator:
-                            description: operator represents a key's relationship
-                              to a set of values. Valid operators are In, NotIn, Exists
-                              and DoesNotExist.
-                            type: string
-                          values:
-                            description: values is an array of string values. If the
-                              operator is In or NotIn, the values array must be non-empty.
-                              If the operator is Exists or DoesNotExist, the values
-                              array must be empty. This array is replaced during a
-                              strategic merge patch.
-                            items:
-                              type: string
-                            type: array
-                        required:
-                        - key
-                        - operator
-                        type: object
-                      type: array
-                    matchLabels:
-                      additionalProperties:
-                        type: string
-                      description: matchLabels is a map of {key,value} pairs. A single
-                        {key,value} in the matchLabels map is equivalent to an element
-                        of matchExpressions, whose key field is "key", the operator
-                        is "In", and the values array contains only "value". The requirements
-                        are ANDed.
-                      type: object
-                  type: object
-                  x-kubernetes-map-type: atomic
-                resources:
-                  description: Subjects is an optional reference to the checked Kubernetes
-                    resources
-                  items:
-                    description: "ObjectReference contains enough information to let
-                      you inspect or modify the referred object. --- New uses of this
-                      type are discouraged because of difficulty describing its usage
-                      when embedded in APIs. 1. Ignored fields.  It includes many
-                      fields which are not generally honored.  For instance, ResourceVersion
-                      and FieldPath are both very rarely valid in actual usage. 2.
-                      Invalid usage help.  It is impossible to add specific help for
-                      individual usage.  In most embedded usages, there are particular
-                      restrictions like, \"must refer only to types A and B\" or \"UID
-                      not honored\" or \"name must be restricted\". Those cannot be
-                      well described when embedded. 3. Inconsistent validation.  Because
-                      the usages are different, the validation rules are different
-                      by usage, which makes it hard for users to predict what will
-                      happen. 4. The fields are both imprecise and overly precise.
-                      \ Kind is not a precise mapping to a URL. This can produce ambiguity
-                      during interpretation and require a REST mapping.  In most cases,
-                      the dependency is on the group,resource tuple and the version
-                      of the actual struct is irrelevant. 5. We cannot easily change
-                      it.  Because this type is embedded in many locations, updates
-                      to this type will affect numerous schemas.  Don't make new APIs
-                      embed an underspecified API type they do not control. \n Instead
-                      of using this type, create a locally provided and used type
-                      that is well-focused on your reference. For example, ServiceReferences
-                      for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533
-                      ."
-                    properties:
-                      apiVersion:
-                        description: API version of the referent.
-                        type: string
-                      fieldPath:
-                        description: 'If referring to a piece of an object instead
-                          of an entire object, this string should contain a valid
-                          JSON/Go field access statement, such as desiredState.manifest.containers[2].
-                          For example, if the object reference is to a container within
-                          a pod, this would take on a value like: "spec.containers{name}"
-                          (where "name" refers to the name of the container that triggered
-                          the event) or if no container name is specified "spec.containers[2]"
-                          (container with index 2 in this pod). This syntax is chosen
-                          only to have some well-defined way of referencing a part
-                          of an object. TODO: this design is not final and this field
-                          is subject to change in the future.'
-                        type: string
-                      kind:
-                        description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                        type: string
-                      name:
-                        description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                        type: string
-                      namespace:
-                        description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                        type: string
-                      resourceVersion:
-                        description: 'Specific resourceVersion to which this reference
-                          is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                        type: string
-                      uid:
-                        description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                        type: string
-                    type: object
-                    x-kubernetes-map-type: atomic
-                  type: array
-                result:
-                  description: Result indicates the outcome of the policy rule execution
-                  enum:
-                  - pass
-                  - fail
-                  - warn
-                  - error
-                  - skip
-                  type: string
-                rule:
-                  description: Rule is the name or identifier of the rule within the
-                    policy
-                  type: string
-                scored:
-                  description: Scored indicates if this result is scored
-                  type: boolean
-                severity:
-                  description: Severity indicates policy check result criticality
-                  enum:
-                  - critical
-                  - high
-                  - low
-                  - medium
-                  - info
-                  type: string
-                source:
-                  description: Source is an identifier for the policy engine that
-                    manages this report
-                  type: string
-                timestamp:
-                  description: Timestamp indicates the time the result was found
-                  properties:
-                    nanos:
-                      description: Non-negative fractions of a second at nanosecond
-                        resolution. Negative second values with fractions must still
-                        have non-negative nanos values that count forward in time.
-                        Must be from 0 to 999,999,999 inclusive. This field may be
-                        limited in precision depending on context.
-                      format: int32
-                      type: integer
-                    seconds:
-                      description: Represents seconds of UTC time since Unix epoch
-                        1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to
-                        9999-12-31T23:59:59Z inclusive.
-                      format: int64
-                      type: integer
-                  required:
-                  - nanos
-                  - seconds
-                  type: object
-              required:
-              - policy
-              type: object
-            type: array
-          scope:
-            description: Scope is an optional reference to the report scope (e.g.
-              a Deployment, Namespace, or Node)
-            properties:
-              apiVersion:
-                description: API version of the referent.
-                type: string
-              fieldPath:
-                description: 'If referring to a piece of an object instead of an entire
-                  object, this string should contain a valid JSON/Go field access
-                  statement, such as desiredState.manifest.containers[2]. For example,
-                  if the object reference is to a container within a pod, this would
-                  take on a value like: "spec.containers{name}" (where "name" refers
-                  to the name of the container that triggered the event) or if no
-                  container name is specified "spec.containers[2]" (container with
-                  index 2 in this pod). This syntax is chosen only to have some well-defined
-                  way of referencing a part of an object. TODO: this design is not
-                  final and this field is subject to change in the future.'
-                type: string
-              kind:
-                description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
-                type: string
-              name:
-                description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
-                type: string
-              namespace:
-                description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
-                type: string
-              resourceVersion:
-                description: 'Specific resourceVersion to which this reference is
-                  made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
-                type: string
-              uid:
-                description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
-                type: string
-            type: object
-            x-kubernetes-map-type: atomic
-          scopeSelector:
-            description: ScopeSelector is an optional selector for multiple scopes
-              (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector
-              should be specified.
-            properties:
-              matchExpressions:
-                description: matchExpressions is a list of label selector requirements.
-                  The requirements are ANDed.
-                items:
-                  description: A label selector requirement is a selector that contains
-                    values, a key, and an operator that relates the key and values.
-                  properties:
-                    key:
-                      description: key is the label key that the selector applies
-                        to.
-                      type: string
-                    operator:
-                      description: operator represents a key's relationship to a set
-                        of values. Valid operators are In, NotIn, Exists and DoesNotExist.
-                      type: string
-                    values:
-                      description: values is an array of string values. If the operator
-                        is In or NotIn, the values array must be non-empty. If the
-                        operator is Exists or DoesNotExist, the values array must
-                        be empty. This array is replaced during a strategic merge
-                        patch.
-                      items:
-                        type: string
-                      type: array
-                  required:
-                  - key
-                  - operator
-                  type: object
-                type: array
-              matchLabels:
-                additionalProperties:
-                  type: string
-                description: matchLabels is a map of {key,value} pairs. A single {key,value}
-                  in the matchLabels map is equivalent to an element of matchExpressions,
-                  whose key field is "key", the operator is "In", and the values array
-                  contains only "value". The requirements are ANDed.
-                type: object
-            type: object
-            x-kubernetes-map-type: atomic
-          summary:
-            description: PolicyReportSummary provides a summary of results
-            properties:
-              error:
-                description: Error provides the count of policies that could not be
-                  evaluated
-                type: integer
-              fail:
-                description: Fail provides the count of policies whose requirements
-                  were not met
-                type: integer
-              pass:
-                description: Pass provides the count of policies whose requirements
-                  were met
-                type: integer
-              skip:
-                description: Skip indicates the count of policies that were not selected
-                  for evaluation
-                type: integer
-              warn:
-                description: Warn provides the count of non-scored policies whose
-                  requirements were not met
-                type: integer
-            type: object
-        type: object
-    served: true
-    storage: true
-    subresources: {}
-{{- end }}
diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml
deleted file mode 100644
index 39e7a11e6496..000000000000
--- a/charts/kyverno/templates/deployment.yaml
+++ /dev/null
@@ -1,183 +0,0 @@
-{{- if not .Values.templating.debug -}}
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  {{- with .Values.replicaCount }}
-  replicas: {{ . }}
-  {{- end }}
-  selector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-  {{- if .Values.updateStrategy }}
-  strategy:
-    {{ toYaml .Values.updateStrategy | nindent 4 | trim }}
-  {{- end }}
-  template:
-    metadata:
-      labels:
-        {{- include "kyverno.labels" . | nindent 8 }}
-        {{- range $key, $value := .Values.podLabels }}
-        {{ $key }}: {{ $value }}
-        {{- end }}
-      {{- with .Values.podAnnotations }}
-      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-    spec:
-      {{- with .Values.image.pullSecrets }}
-      imagePullSecrets: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.podSecurityContext }}
-      securityContext: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if or .Values.antiAffinity.enable .Values.podAffinity .Values.nodeAffinity }}
-      affinity:
-        {{- if .Values.antiAffinity.enable }}
-        {{- with .Values.podAntiAffinity }}
-        podAntiAffinity:
-          {{- tpl (toYaml .) $ | nindent 10 }}
-        {{- end }}
-        {{- end }}
-        {{- with .Values.podAffinity }}
-        podAffinity:
-          {{- tpl (toYaml .) $ | nindent 10 }}
-        {{- end }}
-        {{- with .Values.nodeAffinity }}
-        nodeAffinity:
-          {{- tpl (toYaml .) $ | nindent 10 }}
-        {{- end }}
-      {{- end }}
-      {{- with .Values.nodeSelector }}
-      nodeSelector: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tolerations }}
-      tolerations: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- with .Values.topologySpreadConstraints }}
-      topologySpreadConstraints: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      serviceAccountName: {{ template "kyverno.serviceAccountName" . }}
-      {{- if .Values.priorityClassName }}
-      priorityClassName: {{ .Values.priorityClassName | quote }}
-      {{- end }}
-      {{- if .Values.hostNetwork }}
-      hostNetwork: {{ .Values.hostNetwork }}
-      {{- end }}
-      {{- if .Values.dnsPolicy }}
-      dnsPolicy: {{ .Values.dnsPolicy }}
-      {{- end }}
-      initContainers:
-      {{- if .Values.extraInitContainers }}
-        {{- toYaml .Values.extraInitContainers | nindent 8 }}
-      {{- end }}
-        - name: kyverno-pre
-          image: {{ include "kyverno.image" (dict "image" .Values.initImage "defaultTag" (default .Chart.AppVersion .Values.image.tag)) | quote }}
-          imagePullPolicy: {{ default .Values.image.pullPolicy .Values.initImage.pullPolicy }}
-          {{- if .Values.initContainer.extraArgs }}
-          args:
-              {{- tpl (toYaml .Values.initContainer.extraArgs) . | nindent 12 }}
-          {{- end }}
-          {{- with .Values.initResources }}
-          resources: {{ tpl (toYaml .) $ | nindent 12 }}
-          {{- end }}
-          {{- if .Values.securityContext }}
-          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
-          {{- end }}
-          env:
-          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
-          - name: KYVERNO_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: KYVERNO_POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: KYVERNO_DEPLOYMENT
-            value: {{ template "kyverno.fullname" . }}
-          {{- with .Values.envVarsInit }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-      containers:
-      {{- if .Values.extraContainers }}
-        {{- toYaml .Values.extraContainers | nindent 8 }}
-      {{- end }}
-        - name: kyverno
-          image: {{ include "kyverno.image" (dict "image" .Values.image "defaultTag" .Chart.AppVersion) | quote }}
-          imagePullPolicy: {{ .Values.image.pullPolicy }}
-          {{- if or .Values.extraArgs .Values.imagePullSecrets }}
-          args:
-            {{- if .Values.extraArgs -}}
-              {{ tpl (toYaml .Values.extraArgs) . | nindent 12 }}
-            {{- end }}
-            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
-            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
-            {{- end }}
-          {{- end }}
-          {{- with .Values.resources }}
-          resources: {{ tpl (toYaml .) $ | nindent 12 }}
-          {{- end }}
-          {{- if .Values.securityContext }}
-          securityContext: {{ include "kyverno.securityContext" . | nindent 12 }}
-          {{- end }}
-          ports:
-          - containerPort: 9443
-            name: https
-            protocol: TCP
-          - containerPort: 8000
-            name: metrics-port
-            protocol: TCP
-          env:
-          - name: INIT_CONFIG
-            value: {{ template "kyverno.configMapName" . }}
-          - name: METRICS_CONFIG
-            value: {{ template "kyverno.metricsConfigMapName" . }}
-          - name: KYVERNO_NAMESPACE
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.namespace
-          - name: KYVERNO_POD_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: metadata.name
-          - name: KYVERNO_SERVICEACCOUNT_NAME
-            value: {{ template "kyverno.serviceAccountName" . }}
-          - name: KYVERNO_SVC
-            value: {{ template "kyverno.serviceName" . }}
-          - name: TUF_ROOT
-            value: {{ .Values.tufRootMountPath }}
-          {{- with .Values.envVars }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          - name: KYVERNO_DEPLOYMENT
-            value: {{ template "kyverno.fullname" . }}
-        {{- with .Values.startupProbe }}
-          startupProbe: {{ tpl (toYaml .) $ | nindent 12 }}
-        {{- end }}
-        {{- with .Values.livenessProbe }}
-          livenessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
-        {{- end }}
-        {{- with .Values.readinessProbe }}
-          readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
-        {{- end }}
-          volumeMounts:
-            - mountPath: {{ .Values.tufRootMountPath }}
-              name: sigstore
-            - mountPath: /var/run/secrets/tokens
-              name: api-token
-      volumes:
-      - name: sigstore
-        emptyDir: {}
-      - name: api-token
-        projected:
-          sources:
-          - serviceAccountToken:
-              path: api-token
-              expirationSeconds: 600
-              audience: kyverno-extension
-{{- end -}}
diff --git a/charts/kyverno/templates/grafana/dashboard.yaml b/charts/kyverno/templates/grafana/dashboard.yaml
deleted file mode 100644
index 7f4fb3eea03b..000000000000
--- a/charts/kyverno/templates/grafana/dashboard.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-{{- if .Values.grafana.enabled -}}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ template "kyverno.configMapName" . }}-grafana
-  namespace: {{ default (include "kyverno.namespace" .) .Values.grafana.namespace }}
-  annotations:
-    {{- toYaml .Values.grafana.annotations | nindent 4 }}
-  labels:
-    grafana_dashboard: "1"
-data:
-{{ (.Files.Glob "grafana/*").AsConfig | indent 2 }}
-{{- end -}}
diff --git a/charts/kyverno/templates/helm-pre-delete-hook.yaml b/charts/kyverno/templates/helm-pre-delete-hook.yaml
deleted file mode 100644
index ac1b02fd6a72..000000000000
--- a/charts/kyverno/templates/helm-pre-delete-hook.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{- if .Values.webhooksCleanup.enabled }}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ template "kyverno.fullname" . }}-hook-pre-delete
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-delete
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-spec:
-  template:
-    spec:
-      serviceAccount: {{ template "kyverno.serviceAccountName" . }}
-      containers:
-        - name: kubectl
-          image: {{ .Values.webhooksCleanup.image }}
-          command:
-            - sh
-            - '-c'
-            - >-
-              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
-              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno;
-      restartPolicy: Never
-  backoffLimit: 2
-{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/templates/hooks/_helpers.tpl b/charts/kyverno/templates/hooks/_helpers.tpl
new file mode 100644
index 000000000000..edc290b663bd
--- /dev/null
+++ b/charts/kyverno/templates/hooks/_helpers.tpl
@@ -0,0 +1,15 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.hooks.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.hooks.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.hooks.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "hooks")
+) -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
new file mode 100644
index 000000000000..0aec49dd95bb
--- /dev/null
+++ b/charts/kyverno/templates/hooks/post-upgrade-clean-reports.yaml
@@ -0,0 +1,95 @@
+{{- if .Values.policyReportsCleanup.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-clean-reports
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.policyReportsCleanup.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.policyReportsCleanup.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      {{- with .Values.policyReportsCleanup.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.policyReportsCleanup.image "defaultTag" (default .Chart.AppVersion .Values.policyReportsCleanup.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.policyReportsCleanup.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -euo pipefail
+              NAMESPACES=$(kubectl get namespaces --no-headers=true | awk '{print $1}')
+
+              for ns in ${NAMESPACES[@]};
+              do
+                COUNT=$(kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | wc -l)
+
+                if [ $COUNT -gt 0 ]; then
+                  echo "deleting $COUNT policyreports in namespace $ns"
+                  kubectl get policyreports.wgpolicyk8s.io -n $ns --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete -n $ns policyreports.wgpolicyk8s.io
+                else
+                  echo "no policyreports in namespace $ns"
+                fi
+              done
+
+              COUNT=$(kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | wc -l)
+                
+              if [ $COUNT -gt 0 ]; then
+                echo "deleting $COUNT clusterpolicyreports"
+                kubectl get clusterpolicyreports.wgpolicyk8s.io --no-headers=true | awk '/pol/{print $1}' | xargs kubectl delete clusterpolicyreports.wgpolicyk8s.io
+              else
+                echo "no clusterpolicyreports"
+              fi
+          {{- with .Values.policyReportsCleanup.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.policyReportsCleanup.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.policyReportsCleanup.tolerations | default .Values.global.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.policyReportsCleanup.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.policyReportsCleanup.podAntiAffinity .Values.policyReportsCleanup.podAffinity .Values.policyReportsCleanup.nodeAffinity }}
+      affinity:
+        {{- with .Values.policyReportsCleanup.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.policyReportsCleanup.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.policyReportsCleanup.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml
new file mode 100644
index 000000000000..034bea6723dc
--- /dev/null
+++ b/charts/kyverno/templates/hooks/post-upgrade-migrate-resources.yaml
@@ -0,0 +1,138 @@
+{{- if .Values.crds.migration.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.fullname" . }}:migrate-resources
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "100"
+rules:
+  - apiGroups:
+    - kyverno.io
+    resources:
+    - '*'
+    verbs:
+    - get
+    - list
+    - update
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+    - customresourcedefinitions
+    verbs:
+    - get
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+    - customresourcedefinitions/status
+    verbs:
+    - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:migrate-resources
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "100"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.fullname" . }}:migrate-resources
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.fullname" . }}-migrate-resources
+    namespace: {{ template "kyverno.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.fullname" . }}-migrate-resources
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "100"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-migrate-resources
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "200"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.crds.migration.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crds.migration.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ template "kyverno.fullname" . }}-migrate-resources
+      {{- with .Values.crds.migration.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.crds.migration.image "defaultTag" (default .Chart.AppVersion .Values.crds.migration.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.crds.migration.image.pullPolicy }}
+          args:
+            - migrate
+            {{- range .Values.crds.migration.resources }}
+            - --resource
+            - {{ . }}
+            {{- end }}
+          {{- with .Values.crds.migration.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.crds.migration.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crds.migration.tolerations | default .Values.global.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.crds.migration.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.crds.migration.podAntiAffinity .Values.crds.migration.podAffinity .Values.crds.migration.nodeAffinity }}
+      affinity:
+        {{- with .Values.crds.migration.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.crds.migration.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.crds.migration.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/hooks/pre-delete-configmap.yaml b/charts/kyverno/templates/hooks/pre-delete-configmap.yaml
new file mode 100644
index 000000000000..116fdc848537
--- /dev/null
+++ b/charts/kyverno/templates/hooks/pre-delete-configmap.yaml
@@ -0,0 +1,128 @@
+{{- if .Values.config.preserve -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.fullname" . }}:remove-configmap
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "0"
+rules:
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs:
+    - list
+    - get
+    - delete
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.fullname" . }}:remove-configmap
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "0"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.fullname" . }}:remove-configmap
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.fullname" . }}-remove-configmap
+    namespace: {{ template "kyverno.namespace" . }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.fullname" . }}-remove-configmap
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    helm.sh/hook-weight: "0"
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-remove-configmap
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "10"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.webhooksCleanup.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhooksCleanup.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ template "kyverno.fullname" . }}-remove-configmap
+      {{- with .Values.webhooksCleanup.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      {{- with .Values.webhooksCleanup.imagePullSecrets }}
+      imagePullSecrets: 
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - '-c'
+            - |-
+              set -euo pipefail
+              kubectl delete cm -n {{ template "kyverno.namespace" . }} {{ template "kyverno.config.configMapName" . }}
+          {{- with .Values.webhooksCleanup.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.webhooksCleanup.tolerations }}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }}
+      affinity:
+        {{- with .Values.webhooksCleanup.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.webhooksCleanup.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.webhooksCleanup.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
new file mode 100644
index 000000000000..94b24c5e5856
--- /dev/null
+++ b/charts/kyverno/templates/hooks/pre-delete-scale-to-zero.yaml
@@ -0,0 +1,78 @@
+{{- if .Values.webhooksCleanup.enabled -}}
+{{- if not .Values.templating.enabled -}}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "kyverno.fullname" . }}-scale-to-zero
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.hooks.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    helm.sh/hook-weight: "100"
+spec:
+  backoffLimit: 2
+  template:
+    metadata:
+      {{- with .Values.webhooksCleanup.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhooksCleanup.podLabels }}
+      labels:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccount: {{ template "kyverno.admission-controller.serviceAccountName" . }}
+      {{- with .Values.webhooksCleanup.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      {{- with .Values.webhooksCleanup.imagePullSecrets }}
+      imagePullSecrets: 
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: kubectl
+          image: {{ (include "kyverno.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.webhooksCleanup.image "defaultTag" (default .Chart.AppVersion .Values.webhooksCleanup.image.tag))) | quote }}
+          imagePullPolicy: {{ .Values.webhooksCleanup.image.pullPolicy }}
+          command:
+            - /bin/bash
+            - '-c'
+            - |-
+              set -euo pipefail
+              kubectl scale -n {{ template "kyverno.namespace" . }} deployment -l app.kubernetes.io/part-of={{ template "kyverno.fullname" . }} --replicas=0
+              sleep 30
+              kubectl delete validatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+              kubectl delete mutatingwebhookconfiguration -l webhook.kyverno.io/managed-by=kyverno
+          {{- with .Values.webhooksCleanup.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.webhooksCleanup.tolerations | default .Values.global.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhooksCleanup.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.webhooksCleanup.podAntiAffinity .Values.webhooksCleanup.podAffinity .Values.webhooksCleanup.nodeAffinity }}
+      affinity:
+        {{- with .Values.webhooksCleanup.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.webhooksCleanup.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.webhooksCleanup.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/imagepullsecret.yaml b/charts/kyverno/templates/imagepullsecret.yaml
deleted file mode 100644
index f6e8c11ded41..000000000000
--- a/charts/kyverno/templates/imagepullsecret.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-{{ range $name, $secret := .Values.imagePullSecrets }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ $name }}
-  namespace: {{ template "kyverno.namespace" $ }}
-  labels:
-    {{- include "kyverno.labels" $ | nindent 4 }}
-type: kubernetes.io/dockerconfigjson
-data:
-  .dockerconfigjson: {{ template "kyverno.imagePullSecret" $secret }}
-{{ end }}
diff --git a/charts/kyverno/templates/metricsconfigmap.yaml b/charts/kyverno/templates/metricsconfigmap.yaml
deleted file mode 100644
index eddd5e0cdcf4..000000000000
--- a/charts/kyverno/templates/metricsconfigmap.yaml
+++ /dev/null
@@ -1,26 +0,0 @@
-{{- if (not .Values.config.existingMetricsConfig) }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- with .Values.config.metricsConfig.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  name: {{ template "kyverno.metricsConfigMapName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- if .Values.config.metricsConfig }}
-data:
-  {{- if .Values.config.metricsConfig.namespaces }}
-  namespaces: {{ .Values.config.metricsConfig.namespaces | toJson | quote }}
-  {{- end -}}
-  {{- if .Values.config.metricsConfig.metricsRefreshInterval }}
-  metricsRefreshInterval: {{ .Values.config.metricsConfig.metricsRefreshInterval }}
-  {{- end -}}
-{{- else }}
-data:
-  namespaces: '{"include": [], "exclude": []}'
-  metricsRefreshInterval: 0s
-{{- end }}
-{{- end -}}
diff --git a/charts/kyverno/templates/namespace.yaml b/charts/kyverno/templates/namespace.yaml
deleted file mode 100644
index 3f36992f6bbb..000000000000
--- a/charts/kyverno/templates/namespace.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-{{- if .Values.templating.enabled -}}
-apiVersion: v1
-kind: Namespace
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  name: {{ template "kyverno.fullname" . }}
-{{- end -}}
diff --git a/charts/kyverno/templates/networkpolicy.yaml b/charts/kyverno/templates/networkpolicy.yaml
deleted file mode 100644
index ac834224f62c..000000000000
--- a/charts/kyverno/templates/networkpolicy.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-{{- if .Values.networkPolicy.enabled }}
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  name: {{ template "kyverno.fullname" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  podSelector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-  policyTypes:
-  - Ingress
-  {{- if .Values.networkPolicy.ingressFrom }}
-  ingress:
-  - from:
-    {{- with .Values.networkPolicy.ingressFrom }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-    ports:
-    - protocol: TCP
-      port: 9443 # webhook access
-  # Allow prometheus scrapes for metrics
-  {{- if .Values.metricsService.create }}
-    - protocol: TCP
-      port: {{ .Values.metricsService.port }}
-  {{- end }}
-  {{- else }}
-  ingress:
-    - {}
-  {{- end }}
-{{- end }}
diff --git a/charts/kyverno/templates/poddisruptionbudget.yaml b/charts/kyverno/templates/poddisruptionbudget.yaml
deleted file mode 100644
index 2e22a0862b81..000000000000
--- a/charts/kyverno/templates/poddisruptionbudget.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-{{- if (gt (int .Values.replicaCount) 1) }}
-{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }}
-apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
-kind: PodDisruptionBudget
-metadata:
-  name: {{ template "kyverno.fullname" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-spec:
-  {{- include "kyverno.podDisruptionBudget.spec" . | indent 2 }}
-  selector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-{{- end }}
diff --git a/charts/kyverno/templates/rbac/_helpers.tpl b/charts/kyverno/templates/rbac/_helpers.tpl
new file mode 100644
index 000000000000..e1cc0b114722
--- /dev/null
+++ b/charts/kyverno/templates/rbac/_helpers.tpl
@@ -0,0 +1,28 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.rbac.labels.admin" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.rbac.matchLabels" .)
+  "rbac.authorization.k8s.io/aggregate-to-admin: 'true'"
+) -}}
+{{- end -}}
+
+{{- define "kyverno.rbac.labels.view" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.rbac.matchLabels" .)
+  "rbac.authorization.k8s.io/aggregate-to-view: 'true'"
+) -}}
+{{- end -}}
+
+{{- define "kyverno.rbac.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "rbac")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.rbac.roleName" -}}
+{{ include "kyverno.fullname" . }}:rbac
+{{- end -}}
diff --git a/charts/kyverno/templates/rbac/policies.yaml b/charts/kyverno/templates/rbac/policies.yaml
new file mode 100644
index 000000000000..c949f8077f8d
--- /dev/null
+++ b/charts/kyverno/templates/rbac/policies.yaml
@@ -0,0 +1,43 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:policies
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - cleanuppolicies
+      - clustercleanuppolicies
+      - policies
+      - clusterpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:policies
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - cleanuppolicies
+      - clustercleanuppolicies
+      - policies
+      - clusterpolicies
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/charts/kyverno/templates/rbac/policyreports.yaml b/charts/kyverno/templates/rbac/policyreports.yaml
new file mode 100644
index 000000000000..0b85139f7d37
--- /dev/null
+++ b/charts/kyverno/templates/rbac/policyreports.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - clusterpolicyreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - clusterpolicyreports
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/charts/kyverno/templates/rbac/reports.yaml b/charts/kyverno/templates/rbac/reports.yaml
new file mode 100644
index 000000000000..89ea5dc4f81c
--- /dev/null
+++ b/charts/kyverno/templates/rbac/reports.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:reports
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - reports.kyverno.io
+    resources:
+      - ephemeralreports
+      - clusterephemeralreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:reports
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - reports.kyverno.io
+    resources:
+      - ephemeralreports
+      - clusterephemeralreports
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
\ No newline at end of file
diff --git a/charts/kyverno/templates/rbac/updaterequests.yaml b/charts/kyverno/templates/rbac/updaterequests.yaml
new file mode 100644
index 000000000000..4d81ad75c3ab
--- /dev/null
+++ b/charts/kyverno/templates/rbac/updaterequests.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.admissionController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests
+  labels:
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/_helpers.tpl b/charts/kyverno/templates/reports-controller/_helpers.tpl
new file mode 100644
index 000000000000..2cf441df6db7
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/_helpers.tpl
@@ -0,0 +1,44 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.reports-controller.name" -}}
+{{ template "kyverno.name" . }}-reports-controller
+{{- end -}}
+
+{{- define "kyverno.reports-controller.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.reports-controller.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "reports-controller")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.image" -}}
+{{- $imageRegistry := default .image.registry .globalRegistry -}}
+{{- if $imageRegistry -}}
+  {{ $imageRegistry }}/{{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- else -}}
+  {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.roleName" -}}
+{{ include "kyverno.fullname" . }}:reports-controller
+{{- end -}}
+
+{{- define "kyverno.reports-controller.serviceAccountName" -}}
+{{- if .Values.reportsController.rbac.create -}}
+    {{ default (include "kyverno.reports-controller.name" .) .Values.reportsController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.reportsController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{- define "kyverno.reports-controller.caCertificatesConfigMapName" -}}
+{{ printf "%s-ca-certificates" (include "kyverno.reports-controller.name" .) }}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/clusterrole.yaml b/charts/kyverno/templates/reports-controller/clusterrole.yaml
new file mode 100644
index 000000000000..b21ac21786ea
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/clusterrole.yaml
@@ -0,0 +1,116 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        {{- include "kyverno.reports-controller.matchLabels" . | nindent 8 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}:core
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - get
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+      - configmaps
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - globalcontextentries
+      - globalcontextentries/status
+      - policyexceptions
+      - policies
+      - clusterpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - reports.kyverno.io
+    resources:
+      - ephemeralreports
+      - clusterephemeralreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - policyreports/status
+      - clusterpolicyreports
+      - clusterpolicyreports/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+{{- with .Values.reportsController.rbac.coreClusterRole.extraResources }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- with .Values.reportsController.rbac.clusterRole.extraResources }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" $ }}:additional
+  labels:
+    {{- include "kyverno.reports-controller.labels" $ | nindent 4 }}
+rules:
+  {{- range . }}
+  - apiGroups:
+      {{- toYaml .apiGroups | nindent 6 }}
+    resources:
+      {{- toYaml .resources | nindent 6 }}
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml b/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
new file mode 100644
index 000000000000..58742e6de86e
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/clusterrolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/configmap.yaml b/charts/kyverno/templates/reports-controller/configmap.yaml
new file mode 100644
index 000000000000..ad23aa802e08
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/configmap.yaml
@@ -0,0 +1,12 @@
+{{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+data:
+  ca-certificates: |
+    {{ .Values.reportsController.caCertificates.data | default .Values.global.caCertificates.data | indent 4 | trim }}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/deployment.yaml b/charts/kyverno/templates/reports-controller/deployment.yaml
new file mode 100644
index 000000000000..935c09283417
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@@ -0,0 +1,198 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if not .Values.templating.debug -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  replicas: {{ template "kyverno.deployment.replicas" .Values.reportsController.replicas }}
+  revisionHistoryLimit: {{ .Values.reportsController.revisionHistoryLimit }}
+  {{- with .Values.reportsController.updateStrategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyverno.reports-controller.labels" . | nindent 8 }}
+        {{- with .Values.reportsController.podLabels }}
+        {{- tpl (toYaml .) $ | nindent 8 }}
+        {{- end }}
+      {{- with .Values.reportsController.podAnnotations }}
+      annotations: {{ tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- with .Values.reportsController.imagePullSecrets }}
+      imagePullSecrets:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.podSecurityContext }}
+      securityContext:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.tolerations | default .Values.global.tolerations}}
+      tolerations:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.reportsController.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.reportsController.hostNetwork }}
+      hostNetwork: {{ . }}
+      {{- end }}
+      {{- with .Values.reportsController.dnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- if or .Values.reportsController.antiAffinity.enabled .Values.reportsController.podAffinity .Values.reportsController.nodeAffinity }}
+      affinity:
+        {{- if .Values.reportsController.antiAffinity.enabled }}
+        {{- with .Values.reportsController.podAntiAffinity }}
+        podAntiAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.reportsController.podAffinity }}
+        podAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+        {{- with .Values.reportsController.nodeAffinity }}
+        nodeAffinity:
+          {{- tpl (toYaml .) $ | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      serviceAccountName: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+      containers:
+        - name: controller
+          image: {{ include "kyverno.reports-controller.image" (dict "globalRegistry" .Values.global.image.registry "image" .Values.reportsController.image "defaultTag" .Chart.AppVersion) | quote }}
+          imagePullPolicy: {{ .Values.reportsController.image.pullPolicy }}
+          ports:
+          - containerPort: {{ .Values.reportsController.server.port }}
+            name: https
+            protocol: TCP
+          - containerPort: {{ .Values.reportsController.metering.port }}
+            name: metrics
+            protocol: TCP
+          {{ if .Values.reportsController.profiling.enabled }}
+          - containerPort: {{ .Values.reportsController.profiling.port }}
+            name: profiling-port
+            protocol: TCP
+          {{- end }}
+          args:
+            {{- if .Values.reportsController.tracing.enabled }}
+            - --enableTracing
+            - --tracingAddress={{ .Values.reportsController.tracing.address }}
+            - --tracingPort={{ .Values.reportsController.tracing.port }}
+            {{- with .Values.reportsController.tracing.creds }}
+            - --tracingCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            - --disableMetrics={{ .Values.reportsController.metering.disabled }}
+            {{- if not .Values.reportsController.metering.disabled }}
+            - --otelConfig={{ .Values.reportsController.metering.config }}
+            - --metricsPort={{ .Values.reportsController.metering.port }}
+            {{- with .Values.reportsController.metering.collector }}
+            - --otelCollector={{ . }}
+            {{- end }}
+            {{- with .Values.reportsController.metering.creds }}
+            - --transportCreds={{ . }}
+            {{- end }}
+            {{- end }}
+            {{- if or .Values.imagePullSecrets .Values.existingImagePullSecrets }}
+            - --imagePullSecrets={{- join "," (concat (keys .Values.imagePullSecrets) .Values.existingImagePullSecrets) }}
+            {{- end }}
+            {{- include "kyverno.features.flags" (pick (mergeOverwrite .Values.features .Values.reportsController.featuresOverride)
+              "admissionReports"
+              "aggregateReports"
+              "policyReports"
+              "validatingAdmissionPolicyReports"
+              "backgroundScan"
+              "configMapCaching"
+              "deferredLoading"
+              "globalContext"
+              "logging"
+              "omitEvents"
+              "policyExceptions"
+              "registryClient"
+              "tuf"
+            ) | nindent 12 }}
+            {{- range $key, $value := .Values.reportsController.extraArgs }}
+            {{- if $value }}
+            - --{{ $key }}={{ $value }}
+            {{- end }}
+            {{- end }}
+            {{ if .Values.reportsController.profiling.enabled }}
+            - --profile=true
+            - --profilePort={{ .Values.reportsController.profiling.port }}
+            {{- end }}
+          env:
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+          - name: KYVERNO_DEPLOYMENT
+            value: {{ template "kyverno.reports-controller.name" . }}
+          - name: INIT_CONFIG
+            value: {{ template "kyverno.config.configMapName" . }}
+          - name: METRICS_CONFIG
+            value: {{ template "kyverno.config.metricsConfigMapName" . }}
+          - name: KYVERNO_POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: KYVERNO_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: TUF_ROOT
+            value: {{ .Values.reportsController.tufRootMountPath }}
+          {{- with (concat .Values.global.extraEnvVars .Values.reportsController.extraEnvVars) }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.reportsController.resources }}
+          resources:
+            {{- tpl (toYaml .) $ | nindent 12 }}
+          {{- end }}
+          {{- with .Values.reportsController.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.reportsController.tufRootMountPath }}
+              name: sigstore
+            {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }}
+            - name: ca-certificates
+              mountPath: /etc/ssl/certs/ca-certificates.crt
+              {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }}
+              subPath: ca-certificates.crt
+              {{- end }}
+            {{- end }}
+      volumes:
+      - name: sigstore
+        {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }}
+      {{- if or .Values.reportsController.caCertificates.data .Values.global.caCertificates.data }}
+      - name: ca-certificates
+        configMap:
+          name: {{ include "kyverno.reports-controller.caCertificatesConfigMapName" . }}
+          items:
+          - key: ca-certificates
+            path: ca-certificates.crt
+      {{- else if or .Values.reportsController.caCertificates.volume .Values.global.caCertificates.volume }}
+      {{- with (.Values.reportsController.caCertificates.volume | default .Values.global.caCertificates.volume) }}
+      - name: ca-certificates
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/flowschema.yaml b/charts/kyverno/templates/reports-controller/flowschema.yaml
new file mode 100644
index 000000000000..7dbd98a07e1d
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/flowschema.yaml
@@ -0,0 +1,120 @@
+{{- if .Values.reportsController.apiPriorityAndFairness }}
+apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
+kind: FlowSchema
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  priorityLevelConfiguration:
+    name: {{ template "kyverno.reports-controller.name" . }}
+  rules:
+  - resourceRules:
+    - apiGroups:
+        - '*'
+      namespaces:
+        - '*'
+      resources:
+        - '*'
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - reports.kyverno.io
+      clusterScope: true
+      resources:
+        - clusterephemeralreports
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - reports.kyverno.io
+      namespaces:
+        - '*'
+      resources:
+        - ephemeralreports
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - wgpolicyk8s.io
+      clusterScope: true
+      resources:
+        - clusterpolicyreports
+        - clusterpolicyreports/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - wgpolicyk8s.io
+      namespaces:
+        - '*'
+      resources:
+        - policyreports
+        - policyreports/status
+      verbs:
+        - create
+        - delete
+        - get
+        - list
+        - patch
+        - update
+        - watch
+        - deletecollection
+    - apiGroups:
+        - ''
+        - events.k8s.io
+      namespaces:
+        - '*'
+      resources:
+        - events
+      verbs:
+        - create
+        - patch
+    - apiGroups:
+        - ''
+      namespaces:
+        - {{ template "kyverno.namespace" . }}
+      resources:
+        - configmaps
+      verbs:
+        - get
+        - list
+        - watch
+    - apiGroups:
+        - coordination.k8s.io
+      namespaces:
+        - {{ template "kyverno.namespace" . }}
+      resources:
+        - leases
+      verbs:
+        - create
+        - delete
+        - get
+        - patch
+        - update
+    subjects:
+    - kind: ServiceAccount
+      serviceAccount:
+        name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+        namespace: {{ template "kyverno.namespace" . }}
+{{- end }}
\ No newline at end of file
diff --git a/charts/kyverno/templates/reports-controller/networkpolicy.yaml b/charts/kyverno/templates/reports-controller/networkpolicy.yaml
new file mode 100644
index 000000000000..e70c6d821d29
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/networkpolicy.yaml
@@ -0,0 +1,30 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.networkPolicy.enabled -}}
+{{- if .Values.reportsController.metricsService.create -}}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  policyTypes:
+    - Ingress
+  {{- if .Values.reportsController.networkPolicy.ingressFrom }}
+  ingress:
+    - from:
+        {{- toYaml .Values.reportsController.networkPolicy.ingressFrom | nindent 8 }}
+      ports:
+        - protocol: TCP
+          port: {{ .Values.reportsController.metricsService.port }}
+  {{- else }}
+  ingress:
+    - {}
+  {{- end }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml b/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml
new file mode 100644
index 000000000000..de6b6248b2ba
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/poddisruptionbudget.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if or .Values.reportsController.podDisruptionBudget.enabled (gt (int .Values.reportsController.replicas) 1) -}}
+apiVersion: {{ template "kyverno.pdb.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  {{- include "kyverno.pdb.spec" .Values.reportsController.podDisruptionBudget | nindent 2 }}
+  selector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml b/charts/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml
new file mode 100644
index 000000000000..a5a475e4769e
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/prioritylevelconfiguration.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.reportsController.apiPriorityAndFairness }}
+apiVersion: {{ template "kyverno.flowcontrol.apiVersion" . }}
+kind: PriorityLevelConfiguration
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+{{- with .Values.reportsController.priorityLevelConfigurationSpec }}
+spec:
+  {{- tpl (toYaml .) $ | nindent 8 }}
+{{- end }}
+{{- end }}
diff --git a/charts/kyverno/templates/reports-controller/role.yaml b/charts/kyverno/templates/reports-controller/role.yaml
new file mode 100644
index 000000000000..5c1b5c07da6c
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/role.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+    resourceNames:
+      - {{ include "kyverno.config.configMapName" . }}
+      - {{ include "kyverno.config.metricsConfigMapName" . }}
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - delete
+      - get
+      - patch
+      - update
+    resourceNames:
+      - kyverno-reports-controller
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/rolebinding.yaml b/charts/kyverno/templates/reports-controller/rolebinding.yaml
new file mode 100644
index 000000000000..d43066b3bb41
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/rolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  namespace: {{ template "kyverno.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kyverno.reports-controller.roleName" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+    namespace: {{ template "kyverno.namespace" . }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/service.yaml b/charts/kyverno/templates/reports-controller/service.yaml
new file mode 100644
index 000000000000..34fdfeee6de1
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/service.yaml
@@ -0,0 +1,50 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.metricsService.create -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  {{- with .Values.reportsController.metricsService.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+  - port: {{ .Values.reportsController.metricsService.port }}
+    targetPort: {{ .Values.reportsController.metering.port }}
+    protocol: TCP
+    name: metrics-port
+    {{- if and (eq .Values.reportsController.metricsService.type "NodePort") (not (empty .Values.reportsController.metricsService.nodePort)) }}
+    nodePort: {{ .Values.reportsController.metricsService.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.reportsController.metricsService.type }}
+{{- end -}}
+{{- end -}}
+{{- if .Values.reportsController.profiling.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}-profiling
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+spec:
+  ports:
+  - port: {{ .Values.reportsController.profiling.port }}
+    targetPort: {{ .Values.reportsController.profiling.port }}
+    protocol: TCP
+    name: profiling-port
+    {{- if and (eq .Values.reportsController.profiling.serviceType "NodePort") (not (empty .Values.reportsController.profiling.nodePort)) }}
+    nodePort: {{ .Values.reportsController.profiling.nodePort }}
+    {{- end }}
+  selector:
+    {{- include "kyverno.reports-controller.matchLabels" . | nindent 4 }}
+  type: {{ .Values.reportsController.profiling.serviceType }}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/serviceaccount.yaml b/charts/kyverno/templates/reports-controller/serviceaccount.yaml
new file mode 100644
index 000000000000..44ddeda4479e
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/serviceaccount.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyverno.reports-controller.serviceAccountName" . }}
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+  {{- with .Values.reportsController.rbac.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/reports-controller/servicemonitor.yaml b/charts/kyverno/templates/reports-controller/servicemonitor.yaml
new file mode 100644
index 000000000000..681e3d99311b
--- /dev/null
+++ b/charts/kyverno/templates/reports-controller/servicemonitor.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.reportsController.enabled -}}
+{{- if .Values.reportsController.serviceMonitor.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "kyverno.reports-controller.name" . }}
+  {{- if .Values.reportsController.serviceMonitor.namespace }}
+  namespace: {{ .Values.reportsController.serviceMonitor.namespace }}
+  {{- else }}
+  namespace: {{ template "kyverno.namespace" . }}
+  {{- end }}
+  labels:
+    {{- include "kyverno.reports-controller.labels" . | nindent 4 }}
+    {{- with .Values.reportsController.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "kyverno.reports-controller.matchLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+    - {{ template "kyverno.namespace" . }}
+  endpoints:
+  - port: metrics-port
+    interval: {{ .Values.reportsController.serviceMonitor.interval }}
+    scrapeTimeout: {{ .Values.reportsController.serviceMonitor.scrapeTimeout }}
+    {{- if .Values.reportsController.serviceMonitor.secure }}
+    scheme: https
+    tlsConfig:
+      {{- toYaml .Values.reportsController.serviceMonitor.tlsConfig | nindent 8 }}
+    {{- end }}
+    {{- with .Values.reportsController.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.reportsController.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/role.yaml b/charts/kyverno/templates/role.yaml
deleted file mode 100644
index ac6b2a20bd8b..000000000000
--- a/charts/kyverno/templates/role.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ template "kyverno.fullname" . }}:leaderelection
-  namespace: {{ template "kyverno.namespace" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - coordination.k8s.io
-  resources:
-    - leases
-  verbs:
-    - create
-    - delete
-    - get
-    - patch
-    - update
-# Allow update of Kyverno deployment annotations
-- apiGroups:
-    - apps
-  resources:
-    - deployments
-  verbs:
-    - get
-    - list
-    - patch
-    - update
-    - watch
-{{- end }}
diff --git a/charts/kyverno/templates/rolebinding.yaml b/charts/kyverno/templates/rolebinding.yaml
deleted file mode 100644
index abb3fbb961e9..000000000000
--- a/charts/kyverno/templates/rolebinding.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-{{- if .Values.rbac.create }}
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ template "kyverno.fullname" . }}:leaderelection
-  namespace: {{ template "kyverno.namespace" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ template "kyverno.fullname" . }}:leaderelection
-subjects:
-- kind: ServiceAccount
-  name: {{ template "kyverno.serviceAccountName" . }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
diff --git a/charts/kyverno/templates/secret.yaml b/charts/kyverno/templates/secret.yaml
deleted file mode 100644
index 4a6cc475f2f4..000000000000
--- a/charts/kyverno/templates/secret.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-{{- if .Values.createSelfSignedCert }}
-{{- $ca := genCA (printf "*.%s.svc" (include "kyverno.namespace" .)) 1024 -}}
-{{- $svcName := (printf "%s.%s.svc" (include "kyverno.serviceName" .) (include "kyverno.namespace" .)) -}}
-{{- $cert := genSignedCert $svcName nil (list $svcName) 1024 $ca -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-ca
-  namespace: {{ template "kyverno.namespace" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-type: kubernetes.io/tls
-data:
-  tls.key: {{ $ca.Key | b64enc }}
-  tls.crt: {{ $ca.Cert | b64enc }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.kyverno-tls-pair
-  namespace: {{ template "kyverno.namespace" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  annotations:
-    self-signed-cert: "true"
-type: kubernetes.io/tls
-data:
-  tls.key: {{ $cert.Key | b64enc }}
-  tls.crt: {{ $cert.Cert | b64enc }}
-{{- end -}}
diff --git a/charts/kyverno/templates/service.yaml b/charts/kyverno/templates/service.yaml
deleted file mode 100644
index bca0fa3c2cd7..000000000000
--- a/charts/kyverno/templates/service.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "kyverno.serviceName" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-  {{- with .Values.service.annotations }}
-  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - port: {{ .Values.service.port }}
-    targetPort: https
-    protocol: TCP
-    name: https
-    {{- if and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)) }}
-    nodePort: {{ .Values.service.nodePort }}
-    {{- end }}
-  selector:
-    {{- include "kyverno.matchLabels" . | nindent 4 }}
-  type: {{ .Values.service.type }}
----
-{{- if .Values.metricsService.create }}
-apiVersion: v1
-kind: Service
-metadata:
-  name: {{ template "kyverno.serviceName" . }}-metrics
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  namespace: {{ template "kyverno.namespace" . }}
-  {{- with .Values.metricsService.annotations }}
-  annotations: {{ tpl (toYaml .) $ | nindent 4 }}
-  {{- end }}
-spec:
-  ports:
-  - port: {{ .Values.metricsService.port }}
-    targetPort: 8000
-    protocol: TCP
-    name: metrics-port
-    {{- if and (eq .Values.metricsService.type "NodePort") (not (empty .Values.metricsService.nodePort)) }}
-    nodePort: {{ .Values.metricsService.nodePort }}
-    {{- end }}
-  selector:
-    {{- include "kyverno.matchLabels" . | nindent 4 }}
-  type: {{ .Values.metricsService.type }}
-{{- end -}}
diff --git a/charts/kyverno/templates/serviceaccount.yaml b/charts/kyverno/templates/serviceaccount.yaml
deleted file mode 100644
index 83265e8a0c1d..000000000000
--- a/charts/kyverno/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-{{- if .Values.rbac.create }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "kyverno.serviceAccountName" . }}
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-  {{- if .Values.rbac.serviceAccount.annotations }}
-  annotations: {{ toYaml .Values.rbac.serviceAccount.annotations | nindent 4 }}
-  {{- end }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
diff --git a/charts/kyverno/templates/servicemonitor.yaml b/charts/kyverno/templates/servicemonitor.yaml
deleted file mode 100644
index 33c192ea6b03..000000000000
--- a/charts/kyverno/templates/servicemonitor.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-{{- if .Values.serviceMonitor.enabled }}
-apiVersion: "monitoring.coreos.com/v1"
-kind: ServiceMonitor
-metadata:
-  labels:
-    {{- include "kyverno.labels" . | nindent 4 }}
-{{- if .Values.serviceMonitor.additionalLabels }}
-{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }}
-{{- end }}
-  name: {{ template "kyverno.serviceName" . }}-service-monitor
-{{- if .Values.serviceMonitor.namespace }}
-  namespace: {{ .Values.serviceMonitor.namespace }}
-{{- else }}
-  namespace: {{ template "kyverno.namespace" . }}
-{{- end }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "kyverno.matchLabels" . | nindent 6 }}
-  namespaceSelector:
-    matchNames:
-    - {{ template "kyverno.namespace" . }}
-  endpoints:
-  - port: metrics-port
-    interval: {{ .Values.serviceMonitor.interval }}
-    scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }}
-  {{- if .Values.serviceMonitor.secure }}
-    scheme: https
-    tlsConfig:
-      {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
-    {{- end }}
-{{- end }}
diff --git a/charts/kyverno/templates/tests/_helpers.tpl b/charts/kyverno/templates/tests/_helpers.tpl
new file mode 100644
index 000000000000..f1e1a3ed351c
--- /dev/null
+++ b/charts/kyverno/templates/tests/_helpers.tpl
@@ -0,0 +1,27 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "kyverno.test.labels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.test.matchLabels" .)
+) -}}
+{{- end -}}
+
+{{- define "kyverno.test.matchLabels" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.matchLabels.common" .)
+  (include "kyverno.labels.component" "test")
+) -}}
+{{- end -}}
+
+{{- define "kyverno.test.annotations" -}}
+helm.sh/hook: test
+{{- end -}}
+
+{{- define "kyverno.test.image" -}}
+{{- template "kyverno.image" (dict "image" .Values.test.image "defaultTag" "latest") -}}
+{{- end -}}
+
+{{- define "kyverno.test.imagePullPolicy" -}}
+{{- default .Values.admissionController.container.image.pullPolicy .Values.test.image.pullPolicy -}}
+{{- end -}}
diff --git a/charts/kyverno/templates/tests/admission-controller-liveness.yaml b/charts/kyverno/templates/tests/admission-controller-liveness.yaml
new file mode 100644
index 000000000000..97c671a86f34
--- /dev/null
+++ b/charts/kyverno/templates/tests/admission-controller-liveness.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-admission-controller-liveness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/liveness
diff --git a/charts/kyverno/templates/tests/admission-controller-metrics.yaml b/charts/kyverno/templates/tests/admission-controller-metrics.yaml
new file mode 100644
index 000000000000..514a6c2621dd
--- /dev/null
+++ b/charts/kyverno/templates/tests/admission-controller-metrics.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.admissionController.metricsService.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-admission-controller-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.admission-controller.serviceName" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.metricsService.port }}/metrics
+{{- end -}}
diff --git a/charts/kyverno/templates/tests/admission-controller-readiness.yaml b/charts/kyverno/templates/tests/admission-controller-readiness.yaml
new file mode 100644
index 000000000000..fb1d34a088d2
--- /dev/null
+++ b/charts/kyverno/templates/tests/admission-controller-readiness.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-admission-controller-readiness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.admissionController.service.port }}/health/readiness
diff --git a/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml b/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
new file mode 100644
index 000000000000..21b44011dead
--- /dev/null
+++ b/charts/kyverno/templates/tests/cleanup-controller-liveness.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cleanupController.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-cleanup-controller-liveness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/liveness
+{{- end -}}
diff --git a/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml b/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
new file mode 100644
index 000000000000..c3cd51961fe6
--- /dev/null
+++ b/charts/kyverno/templates/tests/cleanup-controller-metrics.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.cleanupController.enabled .Values.cleanupController.metricsService.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-cleanup-controller-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.cleanup-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.metricsService.port }}/metrics
+{{- end -}}
diff --git a/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml b/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
new file mode 100644
index 000000000000..17752a3a3438
--- /dev/null
+++ b/charts/kyverno/templates/tests/cleanup-controller-readiness.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cleanupController.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-cleanup-controller-readiness
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}:{{ .Values.cleanupController.service.port }}/health/readiness
+{{- end -}}
diff --git a/charts/kyverno/templates/tests/reports-controller-metrics.yaml b/charts/kyverno/templates/tests/reports-controller-metrics.yaml
new file mode 100644
index 000000000000..ecc3be9b416f
--- /dev/null
+++ b/charts/kyverno/templates/tests/reports-controller-metrics.yaml
@@ -0,0 +1,29 @@
+{{- if and .Values.reportsController.enabled .Values.reportsController.metricsService.create -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "kyverno.fullname" . }}-reports-controller-metrics
+  namespace: {{ template "kyverno.namespace" . }}
+  labels:
+    {{- include "kyverno.test.labels" . | nindent 4 }}
+  annotations:
+    {{- include "kyverno.test.annotations" . | nindent 4 }}
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test
+      image: {{ template "kyverno.test.image" . }}
+      imagePullPolicy: {{ template "kyverno.test.imagePullPolicy" . }}
+      {{- with .Values.test.resources }}
+      resources:
+        {{- tpl (toYaml .) $ | nindent 8 }}
+      {{- end }}
+      {{- with .Values.test.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      command:
+        - /bin/sh
+        - -c
+        - sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.reports-controller.name" . }}-metrics.{{ template "kyverno.namespace" . }}:{{ .Values.reportsController.metricsService.port }}/metrics
+{{- end -}}
diff --git a/charts/kyverno/templates/tests/test.yaml b/charts/kyverno/templates/tests/test.yaml
deleted file mode 100644
index 75345dbacc9f..000000000000
--- a/charts/kyverno/templates/tests/test.yaml
+++ /dev/null
@@ -1,39 +0,0 @@
-apiVersion: v1
-kind: Pod
-metadata:
-  name: "{{ template "kyverno.fullname" . }}-test"
-  labels:
-    {{- include "kyverno.test-labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": test
-spec:
-  restartPolicy: Never
-  containers:
-    - name: wget
-      image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
-      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
-      {{- with .Values.testResources }}
-      resources: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if .Values.testSecurityContext }}
-      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
-      {{- end }}
-      command:
-        - /bin/sh
-        - -c
-        - |
-          sleep 20 ; wget -O- -S --no-check-certificate https://{{ template "kyverno.serviceName" . }}:{{ .Values.service.port }}/health/liveness
-    - name: wget-metrics
-      image: {{ include "kyverno.image" (dict "image" .Values.testImage "defaultTag" "latest") | quote }}
-      imagePullPolicy: {{ default .Values.image.pullPolicy .Values.testImage.pullPolicy }}
-      {{- with .Values.testResources }}
-      resources: {{ tpl (toYaml .) $ | nindent 8 }}
-      {{- end }}
-      {{- if .Values.testSecurityContext }}
-      securityContext: {{ include "kyverno.testSecurityContext" . | nindent 8 }}
-      {{- end }}
-      command:
-        - /bin/sh
-        - -c
-        - |
-          sleep 20 ; wget -O- -S --no-check-certificate http://{{ template "kyverno.serviceName" . }}-metrics:{{ .Values.metricsService.port }}/metrics
diff --git a/charts/kyverno/templates/validate.yaml b/charts/kyverno/templates/validate.yaml
index 35864e9c11b0..8fe085847c12 100644
--- a/charts/kyverno/templates/validate.yaml
+++ b/charts/kyverno/templates/validate.yaml
@@ -1,13 +1,43 @@
-{{- if hasKey .Values "mode" }}
-  {{ fail "mode is not supported anymore, please remove it from your release and use replicaCount instead." }}
+{{- if and (eq .Values.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.cleanuppolicies false) }}
+{{- fail "CRD cleanuppolicies disabled while cleanupController enabled" }}
 {{- end }}
-
-{{- if .Values.replicaCount }}
-  {{- if eq (int .Values.replicaCount) 2 }}
-    {{ fail "Kyverno does not support running with 2 replicas. For a highly-available deployment, select 3 replicas or for standalone select 1 replica." }}
-  {{- end }}
+{{- if and (eq .Values.cleanupController.enabled true) (eq .Values.crds.groups.kyverno.clustercleanuppolicies false) }}
+{{- fail "CRD clustercleanuppolicies disabled while cleanupController enabled" }}
 {{- end }}
-
-{{- if eq (include "kyverno.namespace" .) "kube-system" }}
-    {{ fail "Kyverno cannot be installed in namespace kube-system." }}
+{{- if and (eq .Values.reportsController.enabled true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) }}
+{{- fail "CRD clusterpolicyreports disabled while reportsController enabled" }}
+{{- end }}
+{{- if and (eq .Values.reportsController.enabled true) (eq .Values.crds.groups.wgpolicyk8s.clusterpolicyreports false) }}
+{{- fail "CRD clusterpolicyreports disabled while reportsController enabled" }}
+{{- end }}
+{{- if and (eq .Values.reportsController.enabled true) (eq .Values.crds.groups.kyverno.backgroundscanreports false) }}
+{{- fail "CRD backgroundscanreports disabled while reportsController enabled" }}
 {{- end }}
+{{- if and (eq .Values.reportsController.enabled true) (eq .Values.crds.groups.kyverno.clusterbackgroundscanreports false) }}
+{{- fail "CRD backgroundscanreports disabled while reportsController enabled" }}
+{{- end }}
+
+{{- if hasKey .Values "mode" -}}
+  {{- fail "mode is not supported anymore, please remove it from your release and use admissionController.replicas instead." -}}
+{{- end -}}
+
+{{- if eq (include "kyverno.namespace" .) "kube-system" -}}
+  {{- fail "Kyverno cannot be installed in namespace kube-system." -}}
+{{- end -}}
+
+{{- if not .Values.upgrade.fromV2 -}}
+  {{- $v2 := lookup "apps/v1" "Deployment" (include "kyverno.namespace" .) (include "kyverno.fullname" .) -}}
+  {{- if $v2 -}}
+    {{- fail (join "\n" (list
+      ""
+      ""
+      "  +--------------------------------------------------------------------------------------------------------------------------------------+"
+      "  | An earlier Helm installation of Kyverno was detected.                                                                                |"
+      "  | Given this chart version has significant breaking changes, the upgrade has been blocked.                                             |"
+      "  | Please review the release notes and chart README section and then, once prepared, set `upgrade.fromV2: true` once ready to proceed.  |"
+      "  +--------------------------------------------------------------------------------------------------------------------------------------+"
+      ""
+      ))
+    -}}
+  {{- end -}}
+{{- end -}}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index e6b091cfd146..052b8c32d519 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -3,503 +3,1405 @@
 templating:
   enabled: false
   debug: false
-  version:
+  version: ~
 
-# -- Override the name of the chart
-nameOverride:
+global:
 
-# -- Override the expanded name of the chart
-fullnameOverride:
+  image:
+    # -- (string) Global value that allows to set a single image registry across all deployments.
+    # When set, it will override any values set under `.image.registry` across the chart.
+    registry: ~
+
+  caCertificates:
+    # -- Global CA certificates to use with Kyverno deployments
+    # This value is expected to be one large string of CA certificates
+    # Individual controller values will override this global value
+    data: ~
+
+    # -- Global value to set single volume to be mounted for CA certificates for all deployments.
+    # Not used when `.Values.global.caCertificates.data` is defined
+    # Individual  controller values will override this global value
+    volume: {}
+    # Example to use hostPath:
+    # hostPath:
+    #   path: /etc/pki/tls/ca-certificates.crt
+    #   type: File
+
+  # -- Additional container environment variables to apply to all containers and init containers
+  extraEnvVars: []
+  # Example setting proxy
+  # extraEnvVars:
+  # - name: HTTPS_PROXY
+  #   value: 'https://proxy.example.com:3128'
+
+  # -- Global node labels for pod assignment. Non-global values will override the global value.
+  nodeSelector: {}
 
-# -- Namespace the chart deploys to
-namespace:
+  # -- Global List of node taints to tolerate. Non-global values will override the global value.
+  tolerations: []
 
-# -- Additional labels
-customLabels: {}
+# -- (string) Override the name of the chart
+nameOverride: ~
 
-rbac:
-  # -- Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
-  create: true
-  serviceAccount:
-    # -- Create a ServiceAccount
-    create: true
-    # -- The ServiceAccount name
-    name:
-    # -- Annotations for the ServiceAccount
-    annotations: {}
-      # example.com/annotation: value
-
-image:
-  # -- Image registry
-  registry:
-  # If you want to manage the registry you should remove it from the repository
-  # registry: ghcr.io
-  # repository: kyverno/kyverno
-  # -- Image repository
-  repository: ghcr.io/kyverno/kyverno  # kyverno: replaced in e2e tests
-  # -- Image tag
-  # Defaults to appVersion in Chart.yaml if omitted
-  tag:  # replaced in e2e tests
-  # -- Image pull policy
-  pullPolicy: IfNotPresent
-  # -- Image pull secrets
-  pullSecrets: []
-  # - secretName
-
-initImage:
-  # -- Image registry
-  registry:
-  # If you want to manage the registry you should remove it from the repository
-  # registry: ghcr.io
-  # repository: kyverno/kyvernopre
-  # -- Image repository
-  repository: ghcr.io/kyverno/kyvernopre  # init: replaced in e2e tests
-  # -- Image tag
-  # If initImage.tag is missing, defaults to image.tag
-  tag:  # replaced in e2e tests
-  # -- Image pull policy
-  # If initImage.pullPolicy is missing, defaults to image.pullPolicy
-  pullPolicy:
-
-initContainer:
-  # -- Extra arguments to give to the kyvernopre binary.
-  extraArgs:
-    - --loggingFormat=text
-
-
-testImage:
-  # -- Image registry
-  registry:
-  # -- Image repository
-  repository: busybox
-  # -- Image tag
-  # Defaults to `latest` if omitted
-  tag:
-  # -- Image pull policy
-  # Defaults to image.pullPolicy if omitted
-  pullPolicy:
-
-# -- (int) Desired number of pods
-replicaCount: ~
-
-# -- Additional labels to add to each pod
-podLabels: {}
-  # example.com/label: foo
+# -- (string) Override the expanded name of the chart
+fullnameOverride: ~
 
-# -- Additional annotations to add to each pod
-podAnnotations: {}
-  # example.com/annotation: foo
+# -- (string) Override the namespace the chart deploys to
+namespaceOverride: ~
 
-# -- Security context for the pod
-podSecurityContext: {}
-
-# -- Security context for the containers
-securityContext:
-  runAsNonRoot: true
-  privileged: false
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  capabilities:
-    drop:
-      - ALL
-  seccompProfile:
-    type: RuntimeDefault
-
-# -- Security context for the test containers
-testSecurityContext:
-  runAsUser: 65534
-  runAsGroup: 65534
-  runAsNonRoot: true
-  privileged: false
-  allowPrivilegeEscalation: false
-  readOnlyRootFilesystem: true
-  capabilities:
-    drop:
-      - ALL
-  seccompProfile:
-    type: RuntimeDefault
-
-# -- Optional priority class to be used for kyverno pods
-priorityClassName: ''
-
-antiAffinity:
-  # -- Pod antiAffinities toggle.
-  # Enabled by default but can be disabled if you want to schedule pods to the same node.
-  enable: true
-
-# -- Pod anti affinity constraints.
-# @default -- See [values.yaml](values.yaml)
-podAntiAffinity:
-  preferredDuringSchedulingIgnoredDuringExecution:
-    - weight: 1
-      podAffinityTerm:
-        labelSelector:
-          matchExpressions:
-            - key: app.kubernetes.io/name
-              operator: In
-              values:
-                - '{{ template "kyverno.name" . }}'
-        topologyKey: kubernetes.io/hostname
-
-# -- Pod affinity constraints.
-podAffinity: {}
-
-# -- Node affinity constraints.
-nodeAffinity: {}
-
-podDisruptionBudget:
-  # -- Configures the minimum available pods for kyverno disruptions.
-  # Cannot be used if `maxUnavailable` is set.
-  minAvailable: 1
-  # -- Configures the maximum unavailable pods for kyverno disruptions.
-  # Cannot be used if `minAvailable` is set.
-  maxUnavailable:
-
-# -- Node labels for pod assignment
-nodeSelector: {}
-
-# -- List of node taints to tolerate
-tolerations: []
-
-# -- Change `hostNetwork` to `true` when you want the kyverno's pod to share its host's network namespace.
-# Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
-# Update the `dnsPolicy` accordingly as well to suit the host network mode.
-hostNetwork: false
-
-# -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
-# In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
-# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
-dnsPolicy: ClusterFirst
-
-# -- Env variables for initContainers.
-envVarsInit: {}
-
-# -- Env variables for containers.
-envVars: {}
-
-# -- Extra arguments to give to the binary.
-extraArgs:
-  - --loggingFormat=text
-
-# -- Array of extra init containers
-extraInitContainers: []
-# Example:
-# - name: init-container
-#   image: busybox
-#   command: ['sh', '-c', 'echo Hello']
-
-# -- Array of extra containers to run alongside kyverno
-extraContainers: []
-# Example:
-# - name: myapp-container
-#   image: busybox
-#   command: ['sh', '-c', 'echo Hello && sleep 3600']
-
-# -- Image pull secrets for image verify and imageData policies.
-# This will define the `--imagePullSecrets` Kyverno argument.
-imagePullSecrets: {}
-  # Define two image pull secrets
-  # imagePullSecrets:
-  #   regcred:
-  #     registry: foo.example.com
-  #     username: foobar
-  #     password: secret
-  #   regcred2:
-  #     registry: bar.example.com
-  #     username: barbaz
-  #     password: secret2
-
-
-# -- Existing Image pull secrets for image verify and imageData policies.
-# This will define the `--imagePullSecrets` Kyverno argument.
-existingImagePullSecrets: []
-  # Define an existing image pull secret
-  # existingImagePullSecrets:
-  # - test-registry
-  # - other-test-registry
+upgrade:
+  # -- Upgrading from v2 to v3 is not allowed by default, set this to true once changes have been reviewed.
+  fromV2: false
 
-resources:
-  # -- Pod resource limits
-  limits:
-    memory: 384Mi
-  # -- Pod resource requests
-  requests:
-    cpu: 100m
-    memory: 128Mi
-
-initResources:
-  # -- Pod resource limits
-  limits:
-    cpu: 100m
-    memory: 256Mi
-  # -- Pod resource requests
-  requests:
-    cpu: 10m
-    memory: 64Mi
-
-testResources:
-  # -- Pod resource limits
-  limits:
-    cpu: 100m
-    memory: 256Mi
-  # -- Pod resource requests
-  requests:
-    cpu: 10m
-    memory: 64Mi
-
-# -- Startup probe.
-# The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# @default -- See [values.yaml](values.yaml)
-startupProbe:
-  httpGet:
-    path: /health/liveness
-    port: 9443
-    scheme: HTTPS
-  failureThreshold: 20
-  initialDelaySeconds: 2
-  periodSeconds: 6
-
-# -- Liveness probe.
-# The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# @default -- See [values.yaml](values.yaml)
-livenessProbe:
-  httpGet:
-    path: /health/liveness
-    port: 9443
-    scheme: HTTPS
-  initialDelaySeconds: 15
-  periodSeconds: 30
-  timeoutSeconds: 5
-  failureThreshold: 2
-  successThreshold: 1
-
-# -- Readiness Probe.
-# The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
-# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-# @default -- See [values.yaml](values.yaml)
-readinessProbe:
-  httpGet:
-    path: /health/readiness
-    port: 9443
-    scheme: HTTPS
-  initialDelaySeconds: 5
-  periodSeconds: 10
-  timeoutSeconds: 5
-  failureThreshold: 6
-  successThreshold: 1
-
-# -- Additional resources to be added to controller RBAC permissions.
-generatecontrollerExtraResources: []
-# - ResourceA
-# - ResourceB
-
-# -- Exclude Kyverno namespace
-# Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
-excludeKyvernoNamespace: true
-
-# -- resourceFilter namespace exclude
-# Namespaces to exclude from the default resourceFilters
-resourceFiltersExcludeNamespaces: []
+apiVersionOverride:
+  # -- (string) Override api version used to create `PodDisruptionBudget`` resources.
+  # When not specified the chart will check if `policy/v1/PodDisruptionBudget` is available to
+  # determine the api version automatically.
+  podDisruptionBudget: ~
+
+# CRDs configuration
+crds:
+
+  # -- Whether to have Helm install the Kyverno CRDs, if the CRDs are not installed by Helm, they must be added before policies can be created
+  install: true
+
+  groups:
+
+    # -- Install CRDs in group `kyverno.io`
+    kyverno:
+      cleanuppolicies: true
+      clustercleanuppolicies: true
+      clusterpolicies: true
+      globalcontextentries: true
+      policies: true
+      policyexceptions: true
+      updaterequests: true
+
+    # -- Install CRDs in group `reports.kyverno.io`
+    reports:
+      clusterephemeralreports: true
+      ephemeralreports: true
+
+    # -- Install CRDs in group `wgpolicyk8s.io`
+    wgpolicyk8s:
+      clusterpolicyreports: true
+      policyreports: true
+
+  # -- Additional CRDs annotations
+  annotations: {}
+    # argocd.argoproj.io/sync-options: Replace=true
+    # strategy.spinnaker.io/replace: 'true'
+
+  # -- Additional CRDs labels
+  customLabels: {}
+
+  migration:
+
+    # -- Enable CRDs migration using helm post upgrade hook
+    enabled: true
+
+    # -- Resources to migrate
+    resources:
+      - cleanuppolicies.kyverno.io
+      - clustercleanuppolicies.kyverno.io
+      - clusterpolicies.kyverno.io
+      - globalcontextentries.kyverno.io
+      - policies.kyverno.io
+      - policyexceptions.kyverno.io
+      - updaterequests.kyverno.io
+
+    image:
+      # -- (string) Image registry
+      registry: ghcr.io
+      # -- (string) Image repository
+      repository: kyverno/kyverno-cli
+      # -- (string) Image tag
+      # Defaults to appVersion in Chart.yaml if omitted
+      tag: ~
+      # -- (string) Image pull policy
+      pullPolicy: IfNotPresent
+
+    # -- Image pull secrets
+    imagePullSecrets: []
+    # - name: secretName
+
+    # -- Security context for the pod
+    podSecurityContext: {}
+
+    # -- Node labels for pod assignment
+    nodeSelector: {}
+
+    # -- List of node taints to tolerate
+    tolerations: []
+
+    # -- Pod anti affinity constraints.
+    podAntiAffinity: {}
 
+    # -- Pod affinity constraints.
+    podAffinity: {}
+
+    # -- Pod labels.
+    podLabels: {}
+
+    # -- Pod annotations.
+    podAnnotations: {}
+
+    # -- Node affinity constraints.
+    nodeAffinity: {}
+
+    # -- Security context for the hook containers
+    securityContext:
+      runAsUser: 65534
+      runAsGroup: 65534
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+# Configuration
 config:
-  # -- The registry hostname used for the image mutation.
-  defaultRegistry: docker.io
+
+  # -- Create the configmap.
+  create: true
+
+  # -- Preserve the configmap settings during upgrade.
+  preserve: true
+
+  # -- (string) The configmap name (required if `create` is `false`).
+  name: ~
+
+  # -- Additional annotations to add to the configmap.
+  annotations: {}
 
   # -- Enable registry mutation for container images. Enabled by default.
   enableDefaultRegistryMutation: true
 
+  # -- The registry hostname used for the image mutation.
+  defaultRegistry: docker.io
+
+  # -- Exclude groups
+  excludeGroups:
+    - system:nodes
+
+  # -- Exclude usernames
+  excludeUsernames: []
+    # - '!system:kube-scheduler'
+
+  # -- Exclude roles
+  excludeRoles: []
+
+  # -- Exclude roles
+  excludeClusterRoles: []
+
+  # -- Generate success events.
+  generateSuccessEvents: false
+
   # -- Resource types to be skipped by the Kyverno policy engine.
   # Make sure to surround each entry in quotes so that it doesn't get parsed as a nested YAML list.
   # These are joined together without spaces, run through `tpl`, and the result is set in the config map.
   # @default -- See [values.yaml](values.yaml)
   resourceFilters:
-  - '[Event,*,*]'
-  - '[*,kube-system,*]'
-  - '[*,kube-public,*]'
-  - '[*,kube-node-lease,*]'
-  - '[Node,*,*]'
-  - '[APIService,*,*]'
-  - '[TokenReview,*,*]'
-  - '[SubjectAccessReview,*,*]'
-  - '[SelfSubjectAccessReview,*,*]'
-  - '[Binding,*,*]'
-  - '[ReplicaSet,*,*]'
-  - '[AdmissionReport,*,*]'
-  - '[ClusterAdmissionReport,*,*]'
-  - '[BackgroundScanReport,*,*]'
-  - '[ClusterBackgroundScanReport,*,*]'
-  # exclude resources from the chart
-  - '[ClusterRole,*,{{ template "kyverno.fullname" . }}:*]'
-  - '[ClusterRoleBinding,*,{{ template "kyverno.fullname" . }}:*]'
-  - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceAccountName" . }}]'
-  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.configMapName" . }}]'
-  - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.metricsConfigMapName" . }}]'
-  - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
-  - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}]'
-  - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
-  - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}:*]'
-  - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
-  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}]'
-  - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.serviceName" . }}-metrics]'
-  - '[ServiceMonitor,{{ if .Values.serviceMonitor.namespace }}{{ .Values.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.serviceName" . }}-service-monitor]'
-  - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-test]'
-
-  # -- Name of an existing config map (ignores default/provided resourceFilters)
-  existingConfig: ''
-  # -- Additional annotations to add to the configmap
-  annotations: {}
-    # example.com/annotation: foo
-  # -- Exclude group role
-  excludeGroupRole:
-  # - ''
-  # -- Exclude username
-  excludeUsername:
-  # - ''
+    - '[Event,*,*]'
+    - '[*/*,kube-system,*]'
+    - '[*/*,kube-public,*]'
+    - '[*/*,kube-node-lease,*]'
+    - '[Node,*,*]'
+    - '[Node/*,*,*]'
+    - '[APIService,*,*]'
+    - '[APIService/*,*,*]'
+    - '[TokenReview,*,*]'
+    - '[SubjectAccessReview,*,*]'
+    - '[SelfSubjectAccessReview,*,*]'
+    - '[Binding,*,*]'
+    - '[Pod/binding,*,*]'
+    - '[ReplicaSet,*,*]'
+    - '[ReplicaSet/*,*,*]'
+    # exclude resources from the chart
+    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.admission-controller.roleName" . }}:additional]'
+    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.background-controller.roleName" . }}:additional]'
+    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.cleanup-controller.roleName" . }}:additional]'
+    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:core]'
+    - '[ClusterRole,*,{{ template "kyverno.reports-controller.roleName" . }}:additional]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[ClusterRoleBinding,*,{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
+    - '[ServiceAccount/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.serviceAccountName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[Role,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.roleName" . }}]'
+    - '[RoleBinding,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.roleName" . }}]'
+    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.configMapName" . }}]'
+    - '[ConfigMap,{{ include "kyverno.namespace" . }},{{ template "kyverno.config.metricsConfigMapName" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Deployment,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Deployment/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}-*]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-*]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-*]'
+    - '[Pod,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
+    - '[Pod/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-*]'
+    - '[Job,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
+    - '[Job/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.fullname" . }}-hook-pre-delete]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[NetworkPolicy,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[NetworkPolicy/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[PodDisruptionBudget,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[PodDisruptionBudget/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}-metrics]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.background-controller.name" . }}-metrics]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}-metrics]'
+    - '[Service,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
+    - '[Service/*,{{ include "kyverno.namespace" . }},{{ template "kyverno.reports-controller.name" . }}-metrics]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.admission-controller.name" . }}]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.background-controller.name" . }}]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.cleanup-controller.name" . }}]'
+    - '[ServiceMonitor,{{ if .Values.admissionController.serviceMonitor.namespace }}{{ .Values.admissionController.serviceMonitor.namespace }}{{ else }}{{ template "kyverno.namespace" . }}{{ end }},{{ template "kyverno.reports-controller.name" . }}]'
+    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.admission-controller.serviceName" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
+    - '[Secret,{{ include "kyverno.namespace" . }},{{ template "kyverno.cleanup-controller.name" . }}.{{ template "kyverno.namespace" . }}.svc.*]'
+
   # -- Defines the `namespaceSelector` in the webhook configurations.
   # Note that it takes a list of `namespaceSelector` and/or `objectSelector` in the JSON format, and only the first element
   # will be forwarded to the webhook configurations.
   # The Kyverno namespace is excluded if `excludeKyvernoNamespace` is `true` (default)
   webhooks:
     # Exclude namespaces
-    # - namespaceSelector:
-    #     matchExpressions:
-    #     - key: kubernetes.io/metadata.name
-    #       operator: NotIn
-    #       values:
-    #         - kube-system
-    #         - kyverno
+    - namespaceSelector:
+        matchExpressions:
+        - key: kubernetes.io/metadata.name
+          operator: NotIn
+          values:
+            - kube-system
     # Exclude objects
     # - objectSelector:
     #     matchExpressions:
     #     - key: webhooks.kyverno.io/exclude
     #       operator: DoesNotExist
 
-  # -- Generate success events.
-  generateSuccessEvents: false
-  # -- Metrics config.
-  metricsConfig:
-    # -- Additional annotations to add to the metricsconfigmap
-    annotations: {}
-      # example.com/annotation: foo
-    namespaces: {
-      "include": [],
-      "exclude": []
-    }
-    # 'namespaces.include': list of namespaces to capture metrics for. Default: metrics being captured for all namespaces except excludeNamespaces.
-    # 'namespaces.exclude': list of namespaces to NOT capture metrics for. Default: []
-
-    # metricsRefreshInterval: 24h
-    # rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics
-
-  # Or provide an existing metrics config-map by uncommenting the below line
-  # existingMetricsConfig: sample-metrics-configmap. Refer to the ./templates/metricsconfigmap.yaml for the structure of metrics configmap.
-# -- Deployment update strategy.
-# Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
-# @default -- See [values.yaml](values.yaml)
-updateStrategy:
-  rollingUpdate:
-    maxSurge: 1
-    maxUnavailable: 40%
-  type: RollingUpdate
-
-service:
-  # -- Service port.
-  port: 443
-  # -- Service type.
-  type: ClusterIP
-  # -- Service node port.
-  # Only used if `service.type` is `NodePort`.
-  nodePort:
-  # -- Service annotations.
-  annotations: {}
+  # -- Defines annotations to set on webhook configurations.
+  webhookAnnotations:
+    # Example to disable admission enforcer on AKS:
+    'admissions.enforcer/disabled': 'true'
+
+  # -- Defines labels to set on webhook configurations.
+  webhookLabels: {}
+    # Example to adopt webhook resources in ArgoCD:
+    # 'argocd.argoproj.io/instance': 'kyverno'
 
-# -- Topology spread constraints.
-topologySpreadConstraints: []
+  # -- Defines match conditions to set on webhook configurations (requires Kubernetes 1.27+).
+  matchConditions: []
 
-metricsService:
-  # -- Create service.
+  # -- Exclude Kyverno namespace
+  # Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters
+  excludeKyvernoNamespace: true
+
+  # -- resourceFilter namespace exclude
+  # Namespaces to exclude from the default resourceFilters
+  resourceFiltersExcludeNamespaces: []
+
+  # -- resourceFilters exclude list
+  # Items to exclude from config.resourceFilters
+  resourceFiltersExclude: []
+
+  # -- resourceFilter namespace include
+  # Namespaces to include to the default resourceFilters
+  resourceFiltersIncludeNamespaces: []
+
+  # -- resourceFilters include list
+  # Items to include to config.resourceFilters
+  resourceFiltersInclude: []
+
+# Metrics configuration
+metricsConfig:
+
+  # -- Create the configmap.
   create: true
-  # -- Service port.
-  # Kyverno's metrics server will be exposed at this port.
-  port: 8000
-  # -- Service type.
-  type: ClusterIP
-  # -- Service node port.
-  # Only used if `metricsService.type` is `NodePort`.
-  nodePort:
-  # -- Service annotations.
+
+  # -- (string) The configmap name (required if `create` is `false`).
+  name: ~
+
+  # -- Additional annotations to add to the configmap.
   annotations: {}
 
-serviceMonitor:
-  # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+  namespaces:
+
+    # -- List of namespaces to capture metrics for.
+    include: []
+
+    # -- list of namespaces to NOT capture metrics for.
+    exclude: []
+
+  # -- (string) Rate at which metrics should reset so as to clean up the memory footprint of kyverno metrics, if you might be expecting high memory footprint of Kyverno's metrics. Default: 0, no refresh of metrics. WARNING: This flag is not working since Kyverno 1.8.0
+  metricsRefreshInterval: ~
+  # metricsRefreshInterval: 24h
+
+  # -- (list) Configures the bucket boundaries for all Histogram metrics, changing this configuration requires restart of the kyverno admission controller
+  bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10, 15, 20, 25, 30]
+
+  # -- (map) Configures the exposure of individual metrics, by default all metrics and all labels are exported, changing this configuration requires restart of the kyverno admission controller
+  metricsExposure: ~
+  # metricsExposure:
+  #   kyverno_policy_execution_duration_seconds:
+  #     disabledLabelDimensions: ["resource_kind", "resource_namespace", "resource_request_operation"]
+  #     bucketBoundaries: [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5]
+  #   kyverno_admission_review_duration_seconds:
+  #     enabled: false
+
+# -- Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
+imagePullSecrets: {}
+  # regcred:
+  #   registry: foo.example.com
+  #   username: foobar
+  #   password: secret
+  # regcred2:
+  #   registry: bar.example.com
+  #   username: barbaz
+  #   password: secret2
+
+# -- Existing Image pull secrets for image verification policies, this will define the `--imagePullSecrets` argument
+existingImagePullSecrets: []
+  # - test-registry
+  # - other-test-registry
+
+# Tests configuration
+test:
+
+  image:
+    # -- (string) Image registry
+    registry: ~
+    # -- Image repository
+    repository: busybox
+    # -- Image tag
+    # Defaults to `latest` if omitted
+    tag: '1.35'
+    # -- (string) Image pull policy
+    # Defaults to image.pullPolicy if omitted
+    pullPolicy: ~
+
+  resources:
+    # -- Pod resource limits
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    # -- Pod resource requests
+    requests:
+      cpu: 10m
+      memory: 64Mi
+
+  # -- Security context for the test containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+# -- Additional labels
+customLabels: {}
+
+webhooksCleanup:
+  # -- Create a helm pre-delete hook to cleanup webhooks.
+  enabled: true
+
+  image:
+    # -- (string) Image registry
+    registry: ~
+    # -- Image repository
+    repository: bitnami/kubectl
+    # -- Image tag
+    # Defaults to `latest` if omitted
+    tag: '1.30.2'
+    # -- (string) Image pull policy
+    # Defaults to image.pullPolicy if omitted
+    pullPolicy: ~
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  # -- Pod anti affinity constraints.
+  podAntiAffinity: {}
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Pod labels.
+  podLabels: {}
+
+  # -- Pod annotations.
+  podAnnotations: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+policyReportsCleanup:
+  # -- Create a helm post-upgrade hook to cleanup the old policy reports.
+  enabled: true
+
+  image:
+    # -- (string) Image registry
+    registry: ~
+    # -- Image repository
+    repository: bitnami/kubectl
+    # -- Image tag
+    # Defaults to `latest` if omitted
+    tag: '1.30.2'
+    # -- (string) Image pull policy
+    # Defaults to image.pullPolicy if omitted
+    pullPolicy: ~
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+  # - name: secretName
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  # -- Pod anti affinity constraints.
+  podAntiAffinity: {}
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Pod labels.
+  podLabels: {}
+
+  # -- Pod annotations.
+  podAnnotations: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Security context for the hook containers
+  securityContext:
+    runAsUser: 65534
+    runAsGroup: 65534
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+grafana:
+  # -- Enable grafana dashboard creation.
   enabled: false
-  # -- Additional labels
-  additionalLabels:
-    # key: value
-  # -- Override namespace (default is the same as kyverno)
-  namespace:
-  # --  Interval to scrape metrics
-  interval: 30s
-  # -- Timeout if metrics can't be retrieved in given time interval
-  scrapeTimeout: 25s
-  # -- Is TLS required for endpoint
-  secure: false
-  # -- TLS Configuration for endpoint
-  tlsConfig: {}
-
-# -- Kyverno requires a certificate key pair and corresponding certificate authority
-# to properly register its webhooks. This can be done in one of 3 ways:
-# 1) Use kube-controller-manager to generate a CA-signed certificate (preferred)
-# 2) Provide your own CA and cert.
-#    In this case, you will need to create a certificate with a specific name and data structure.
-#    As long as you follow the naming scheme, it will be automatically picked up.
-#    kyverno-svc.(namespace).svc.kyverno-tls-ca (with data entries named tls.key and tls.crt)
-#    kyverno-svc.kyverno.svc.kyverno-tls-pair (with data entries named tls.key and tls.crt)
-# 3) Let Helm generate a self signed cert, by setting createSelfSignedCert true
-# If letting Kyverno create its own CA or providing your own, make createSelfSignedCert is false
-createSelfSignedCert: false
-
-# -- Whether to have Helm install the Kyverno CRDs.
-# If the CRDs are not installed by Helm, they must be added before policies can be created.
-installCRDs: true
 
-crds:
-  # -- Additional CRDs annotations.
+  # -- Configmap name template.
+  configMapName: '{{ include "kyverno.fullname" . }}-grafana'
+
+  # -- (string) Namespace to create the grafana dashboard configmap.
+  # If not set, it will be created in the same namespace where the chart is deployed.
+  namespace: ~
+
+  # -- Grafana dashboard configmap annotations.
   annotations: {}
-    # argocd.argoproj.io/sync-options: Replace=true
-    # strategy.spinnaker.io/replace: 'true'
 
-networkPolicy:
-  # -- When true, use a NetworkPolicy to allow ingress to the webhook
-  # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
-  enabled: false
-  # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
-  ingressFrom: []
+  # -- Grafana dashboard configmap labels
+  labels:
+    grafana_dashboard: "1"
+
+  # -- create GrafanaDashboard custom resource referencing to the configMap.
+  # according to https://grafana-operator.github.io/grafana-operator/docs/examples/dashboard_from_configmap/readme/
+  grafanaDashboard:
+    create: false
+    folder: kyverno
+    allowCrossNamespaceImport: true
+    matchLabels:
+      dashboards: "grafana"
+
+# Features configuration
+features:
+  admissionReports:
+    # -- Enables the feature
+    enabled: true
+  aggregateReports:
+    # -- Enables the feature
+    enabled: true
+  policyReports:
+    # -- Enables the feature
+    enabled: true
+  validatingAdmissionPolicyReports:
+    # -- Enables the feature
+    enabled: false
+  autoUpdateWebhooks:
+    # -- Enables the feature
+    enabled: true
+  backgroundScan:
+    # -- Enables the feature
+    enabled: true
+    # -- Number of background scan workers
+    backgroundScanWorkers: 2
+    # -- Background scan interval
+    backgroundScanInterval: 1h
+    # -- Skips resource filters in background scan
+    skipResourceFilters: true
+  configMapCaching:
+    # -- Enables the feature
+    enabled: true
+  deferredLoading:
+    # -- Enables the feature
+    enabled: true
+  dumpPayload:
+    # -- Enables the feature
+    enabled: false
+  forceFailurePolicyIgnore:
+    # -- Enables the feature
+    enabled: false
+  generateValidatingAdmissionPolicy:
+    # -- Enables the feature
+    enabled: false
+  globalContext:
+    # -- Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended)
+    maxApiCallResponseLength: 2000000
+  logging:
+    # -- Logging format
+    format: text
+    # -- Logging verbosity
+    verbosity: 2
+  omitEvents:
+    # -- Events which should not be emitted (possible values `PolicyViolation`, `PolicyApplied`, `PolicyError`, and `PolicySkipped`)
+    eventTypes:
+      - PolicyApplied
+      - PolicySkipped
+      # - PolicyViolation
+      # - PolicyError
+  policyExceptions:
+    # -- Enables the feature
+    enabled: true
+    # -- Restrict policy exceptions to a single namespace
+    namespace: ''
+  protectManagedResources:
+    # -- Enables the feature
+    enabled: false
+  registryClient:
+    # -- Allow insecure registry
+    allowInsecure: false
+    # -- Enable registry client helpers
+    credentialHelpers:
+    - default
+    - google
+    - amazon
+    - azure
+    - github
+  ttlController:
+    # -- Reconciliation interval for the label based cleanup manager
+    reconciliationInterval: 1m
+  tuf:
+    # -- Enables the feature
+    enabled: false
+    # -- (string) Tuf root
+    root: ~
+    # -- (string) Tuf mirror
+    mirror: ~
+
+# Admission controller configuration
+admissionController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride:
+    admissionReports:
+      # -- Max number of admission reports allowed in flight until the admission controller stops creating new ones
+      backPressureThreshold: 1000
+
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- The ServiceAccount name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+      #   verbs:
+      #     - create
+      #     - update
+      #     - delete
+
+  # -- Create self-signed certificates at deployment time.
+  # The certificates won't be automatically renewed if this is set to `true`.
+  createSelfSignedCert: false
+
+  # -- (int) Desired number of pods
+  replicas: ~
+
+  # -- The number of revisions to keep
+  revisionHistoryLimit: 10
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+    # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+    # example.com/annotation: foo
+
+  # -- Deployment update strategy.
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  # @default -- See [values.yaml](values.yaml)
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 40%
+    type: RollingUpdate
+
+  # -- Optional priority class
+  priorityClassName: ''
+
+  # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno admission controller activities.
+  # This will help ensure Kyverno stability in busy clusters.
+  # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
+  apiPriorityAndFairness: false
+
+  # -- Priority level configuration.
+  # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
+  # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
+  # @default -- See [values.yaml](values.yaml)
+  priorityLevelConfigurationSpec:
+    type: Limited
+    limited:
+      nominalConcurrencyShares: 10
+      limitResponse:
+        queuing:
+          queueLengthLimit: 50
+        type: Queue
+
+  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
+  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
+  hostNetwork: false
+
+  # -- admissionController webhook server port
+  # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
+  webhookServer:
+    port: 9443
+
+  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+  dnsPolicy: ClusterFirst
+
+  # -- Startup probe.
+  # The block is directly forwarded into the deployment, so you can use whatever startupProbes configuration you want.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+  # @default -- See [values.yaml](values.yaml)
+  startupProbe:
+    httpGet:
+      path: /health/liveness
+      port: 9443
+      scheme: HTTPS
+    failureThreshold: 20
+    initialDelaySeconds: 2
+    periodSeconds: 6
+
+  # -- Liveness probe.
+  # The block is directly forwarded into the deployment, so you can use whatever livenessProbe configuration you want.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+  # @default -- See [values.yaml](values.yaml)
+  livenessProbe:
+    httpGet:
+      path: /health/liveness
+      port: 9443
+      scheme: HTTPS
+    initialDelaySeconds: 15
+    periodSeconds: 30
+    timeoutSeconds: 5
+    failureThreshold: 2
+    successThreshold: 1
+
+  # -- Readiness Probe.
+  # The block is directly forwarded into the deployment, so you can use whatever readinessProbe configuration you want.
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+  # @default -- See [values.yaml](values.yaml)
+  readinessProbe:
+    httpGet:
+      path: /health/readiness
+      port: 9443
+      scheme: HTTPS
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 6
+    successThreshold: 1
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  antiAffinity:
+    # -- Pod antiAffinities toggle.
+    # Enabled by default but can be disabled if you want to schedule pods to the same node.
+    enabled: true
+
+  # -- Pod anti affinity constraints.
+  # @default -- See [values.yaml](values.yaml)
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - admission-controller
+          topologyKey: kubernetes.io/hostname
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Topology spread constraints.
+  topologySpreadConstraints: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  podDisruptionBudget:
+    # -- Enable PodDisruptionBudget.
+    # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
+    enabled: false
+    # -- Configures the minimum available pods for disruptions.
+    # Cannot be used if `maxUnavailable` is set.
+    minAvailable: 1
+    # -- Configures the maximum unavailable pods for disruptions.
+    # Cannot be used if `minAvailable` is set.
+    maxUnavailable:
+
+  # -- A writable volume to use for the TUF root initialization.
+  tufRootMountPath: /.sigstore
+
+  # -- Volume to be mounted in pods for TUF/cosign work.
+  sigstoreVolume:
+    emptyDir: {}
+
+  caCertificates:
+    # -- CA certificates to use with Kyverno deployments
+    # This value is expected to be one large string of CA certificates
+    data: ~
+    # -- Volume to be mounted for CA certificates
+    # Not used when `.Values.admissionController.caCertificates.data` is defined
+    volume: {}
+    # Example to use hostPath:
+    # hostPath:
+    #   path: /etc/pki/tls/ca-certificates.crt
+    #   type: File
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+    # - secretName
+
+  initContainer:
+
+    image:
+      # -- Image registry
+      registry: ghcr.io
+      # -- Image repository
+      repository: kyverno/kyvernopre
+      # -- (string) Image tag
+      # If missing, defaults to image.tag
+      tag: ~
+      # -- (string) Image pull policy
+      # If missing, defaults to image.pullPolicy
+      pullPolicy: ~
+
+    resources:
+      # -- Pod resource limits
+      limits:
+        cpu: 100m
+        memory: 256Mi
+      # -- Pod resource requests
+      requests:
+        cpu: 10m
+        memory: 64Mi
+
+    # -- Container security context
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+    # -- Additional container args.
+    extraArgs: {}
+
+    # -- Additional container environment variables.
+    extraEnvVars: []
+    # Example setting proxy
+    # extraEnvVars:
+    # - name: HTTPS_PROXY
+    #   value: 'https://proxy.example.com:3128'
+
+  container:
+
+    image:
+      # -- Image registry
+      registry: ghcr.io
+      # -- Image repository
+      repository: kyverno/kyverno
+      # -- (string) Image tag
+      # Defaults to appVersion in Chart.yaml if omitted
+      tag: ~
+      # -- Image pull policy
+      pullPolicy: IfNotPresent
+
+    resources:
+      # -- Pod resource limits
+      limits:
+        memory: 384Mi
+      # -- Pod resource requests
+      requests:
+        cpu: 100m
+        memory: 128Mi
+
+    # -- Container security context
+    securityContext:
+      runAsNonRoot: true
+      privileged: false
+      allowPrivilegeEscalation: false
+      readOnlyRootFilesystem: true
+      capabilities:
+        drop:
+          - ALL
+      seccompProfile:
+        type: RuntimeDefault
+
+    # -- Additional container args.
+    extraArgs: {}
+
+    # -- Additional container environment variables.
+    extraEnvVars: []
+    # Example setting proxy
+    # extraEnvVars:
+    # - name: HTTPS_PROXY
+    #   value: 'https://proxy.example.com:3128'
+
+  # -- Array of extra init containers
+  extraInitContainers: []
+    # - name: init-container
+    #   image: busybox
+    #   command: ['sh', '-c', 'echo Hello']
+
+  # -- Array of extra containers to run alongside kyverno
+  extraContainers: []
+    # - name: myapp-container
+    #   image: busybox
+    #   command: ['sh', '-c', 'echo Hello && sleep 3600']
+
+  service:
+    # -- Service port.
+    port: 443
+    # -- Service type.
+    type: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+    # -- Service annotations.
+    annotations: {}
+
+  metricsService:
+    # -- Create service.
+    create: true
+    # -- Service port.
+    # Kyverno's metrics server will be exposed at this port.
+    port: 8000
+    # -- Service type.
+    type: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+    # -- Service annotations.
+    annotations: {}
+
+  networkPolicy:
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
+  serviceMonitor:
+    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+    enabled: false
+    # -- Additional labels
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+    # -- Is TLS required for endpoint
+    secure: false
+    # -- TLS Configuration for endpoint
+    tlsConfig: {}
+    # -- RelabelConfigs to apply to samples before scraping
+    relabelings: []
+    # -- MetricRelabelConfigs to apply to samples before ingestion.
+    metricRelabelings: []
+
+  tracing:
+    # -- Enable tracing
+    enabled: false
+    # -- Traces receiver address
+    address:
+    # -- Traces receiver port
+    port:
+    # -- Traces receiver credentials
+    creds: ''
+
+  metering:
+    # -- Disable metrics export
+    disabled: false
+    # -- Otel configuration, can be `prometheus` or `grpc`
+    config: prometheus
+    # -- Prometheus endpoint port
+    port: 8000
+    # -- Otel collector endpoint
+    collector: ''
+    # -- Otel collector credentials
+    creds: ''
+
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
+# Background controller configuration
+backgroundController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
+  # -- Enable background controller.
+  enabled: true
+
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- Service account name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+        - apiGroups:
+            - networking.k8s.io
+          resources:
+            - ingresses
+            - ingressclasses
+            - networkpolicies
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+        - apiGroups:
+            - rbac.authorization.k8s.io
+          resources:
+            - rolebindings
+            - roles
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+        - apiGroups:
+            - ''
+          resources:
+            - configmaps
+            - secrets
+            - resourcequotas
+            - limitranges
+          verbs:
+            - create
+            - update
+            - patch
+            - delete
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+      #   verbs:
+      #     - create
+      #     - update
+      #     - delete
+      #     - patch
+
+  image:
+    # -- Image registry
+    registry: ghcr.io
+    # -- Image repository
+    repository: kyverno/background-controller
+    # -- Image tag
+    # Defaults to appVersion in Chart.yaml if omitted
+    tag: ~
+    # -- Image pull policy
+    pullPolicy: IfNotPresent
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+    # - secretName
+
+  # -- (int) Desired number of pods
+  replicas: ~
+
+  # -- The number of revisions to keep
+  revisionHistoryLimit: 10
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+  # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+  # example.com/annotation: foo
+
+  # -- Deployment update strategy.
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  # @default -- See [values.yaml](values.yaml)
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 40%
+    type: RollingUpdate
+
+  # -- Optional priority class
+  priorityClassName: ''
+
+  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
+  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
+  hostNetwork: false
+
+  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+  dnsPolicy: ClusterFirst
+
+  # -- Extra arguments passed to the container on the command line
+  extraArgs: {}
+
+  # -- Additional container environment variables.
+  extraEnvVars: []
+  # Example setting proxy
+  # extraEnvVars:
+  # - name: HTTPS_PROXY
+  #   value: 'https://proxy.example.com:3128'
+
+  resources:
+    # -- Pod resource limits
+    limits:
+      memory: 128Mi
+    # -- Pod resource requests
+    requests:
+      cpu: 100m
+      memory: 64Mi
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  antiAffinity:
+    # -- Pod antiAffinities toggle.
+    # Enabled by default but can be disabled if you want to schedule pods to the same node.
+    enabled: true
+
+  # -- Pod anti affinity constraints.
+  # @default -- See [values.yaml](values.yaml)
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - background-controller
+          topologyKey: kubernetes.io/hostname
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Topology spread constraints.
+  topologySpreadConstraints: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Security context for the containers
+  securityContext:
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+  podDisruptionBudget:
+    # -- Enable PodDisruptionBudget.
+    # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
+    enabled: false
+    # -- Configures the minimum available pods for disruptions.
+    # Cannot be used if `maxUnavailable` is set.
+    minAvailable: 1
+    # -- Configures the maximum unavailable pods for disruptions.
+    # Cannot be used if `minAvailable` is set.
+    maxUnavailable:
+
+  caCertificates:
+    # -- CA certificates to use with Kyverno deployments
+    # This value is expected to be one large string of CA certificates
+    data: ~
+    # -- Volume to be mounted for CA certificates
+    # Not used when `.Values.backgroundController.caCertificates.data` is defined
+    volume: {}
+    # Example to use hostPath:
+    # hostPath:
+    #   path: /etc/pki/tls/ca-certificates.crt
+    #   type: File
+
+  metricsService:
+    # -- Create service.
+    create: true
+    # -- Service port.
+    # Metrics server will be exposed at this port.
+    port: 8000
+    # -- Service type.
+    type: ClusterIP
+    # -- Service node port.
+    # Only used if `metricsService.type` is `NodePort`.
+    nodePort:
+    # -- Service annotations.
+    annotations: {}
+
+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
+  serviceMonitor:
+    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+    enabled: false
+    # -- Additional labels
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
+    # --  Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+    # -- Is TLS required for endpoint
+    secure: false
+    # -- TLS Configuration for endpoint
+    tlsConfig: {}
+    # -- RelabelConfigs to apply to samples before scraping
+    relabelings: []
+    # -- MetricRelabelConfigs to apply to samples before ingestion.
+    metricRelabelings: []
+
+  tracing:
+    # -- Enable tracing
+    enabled: false
+    # -- Traces receiver address
+    address:
+    # -- Traces receiver port
+    port:
+    # -- Traces receiver credentials
+    creds: ''
 
-webhooksCleanup:
-  # -- Create a helm pre-delete hook to cleanup webhooks.
-  enabled: false
-  # -- `kubectl` image to run commands for deleting webhooks.
-  image: bitnami/kubectl:latest
+  metering:
+    # -- Disable metrics export
+    disabled: false
+    # -- Otel configuration, can be `prometheus` or `grpc`
+    config: prometheus
+    # -- Prometheus endpoint port
+    port: 8000
+    # -- Otel collector endpoint
+    collector: ''
+    # -- Otel collector credentials
+    creds: ''
 
-# -- A writable volume to use for the TUF root initialization.
-tufRootMountPath: /.sigstore
+  # -- backgroundController server port
+  # in case you are using hostNetwork: true, you might want to change the port the backgroundController is listening to
+  server:
+    port: 9443
 
-grafana:
-  # -- Enable grafana dashboard creation.
-  enabled: false
-  # -- Namespace to create the grafana dashboard configmap.
-  # If not set, it will be created in the same namespace where the chart is deployed.
-  namespace:
-  # -- Grafana dashboard configmap annotations.
-  annotations: {}
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
 
+# Cleanup controller configuration
 cleanupController:
 
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
   # -- Enable cleanup controller.
   enabled: true
 
@@ -511,6 +1413,10 @@ cleanupController:
       # -- Service account name
       name:
 
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
     clusterRole:
       # -- Extra resource permissions to add in the cluster role
       extraResources: []
@@ -518,6 +1424,10 @@ cleanupController:
       #     - ''
       #   resources:
       #     - pods
+      #   verbs:
+      #     - delete
+      #     - list
+      #     - watch
 
   # -- Create self-signed certificates at deployment time.
   # The certificates won't be automatically renewed if this is set to `true`.
@@ -525,24 +1435,33 @@ cleanupController:
 
   image:
     # -- Image registry
-    registry:
-    # If you want to manage the registry you should remove it from the repository
-    # registry: ghcr.io
-    # repository: kyverno/kyverno
+    registry: ghcr.io
     # -- Image repository
-    repository: ghcr.io/kyverno/cleanup-controller  # kyverno: replaced in e2e tests
-    # -- Image tag
+    repository: kyverno/cleanup-controller
+    # -- (string) Image tag
     # Defaults to appVersion in Chart.yaml if omitted
-    tag:  # replaced in e2e tests
+    tag: ~
     # -- Image pull policy
     pullPolicy: IfNotPresent
-    # -- Image pull secrets
-    pullSecrets: []
+
+  # -- Image pull secrets
+  imagePullSecrets: []
     # - secretName
 
   # -- (int) Desired number of pods
   replicas: ~
 
+  # -- The number of revisions to keep
+  revisionHistoryLimit: 10
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+  # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+  # example.com/annotation: foo
+
   # -- Deployment update strategy.
   # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
   # @default -- See [values.yaml](values.yaml)
@@ -560,13 +1479,29 @@ cleanupController:
   # Update the `dnsPolicy` accordingly as well to suit the host network mode.
   hostNetwork: false
 
+  # -- cleanupController server port
+  # in case you are using hostNetwork: true, you might want to change the port the cleanupController is listening to
+  server:
+    port: 9443
+  # -- cleanupController webhook server port
+  # in case you are using hostNetwork: true, you might want to change the port the webhookServer is listening to
+  webhookServer:
+    port: 9443
+
   # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
   # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
   # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
   dnsPolicy: ClusterFirst
 
   # -- Extra arguments passed to the container on the command line
-  extraArgs: []
+  extraArgs: {}
+
+  # -- Additional container environment variables.
+  extraEnvVars: []
+  # Example setting proxy
+  # extraEnvVars:
+  # - name: HTTPS_PROXY
+  #   value: 'https://proxy.example.com:3128'
 
   resources:
     # -- Pod resource limits
@@ -670,6 +1605,9 @@ cleanupController:
       type: RuntimeDefault
 
   podDisruptionBudget:
+    # -- Enable PodDisruptionBudget.
+    # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
+    enabled: false
     # -- Configures the minimum available pods for disruptions.
     # Cannot be used if `maxUnavailable` is set.
     minAvailable: 1
@@ -702,14 +1640,22 @@ cleanupController:
     # -- Service annotations.
     annotations: {}
 
+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
   serviceMonitor:
     # -- Create a `ServiceMonitor` to collect Prometheus metrics.
     enabled: false
     # -- Additional labels
-    additionalLabels:
-      # key: value
-    # -- Override namespace (default is the same as kyverno)
-    namespace:
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
     # --  Interval to scrape metrics
     interval: 30s
     # -- Timeout if metrics can't be retrieved in given time interval
@@ -718,6 +1664,10 @@ cleanupController:
     secure: false
     # -- TLS Configuration for endpoint
     tlsConfig: {}
+    # -- RelabelConfigs to apply to samples before scraping
+    relabelings: []
+    # -- MetricRelabelConfigs to apply to samples before ingestion.
+    metricRelabelings: []
 
   tracing:
     # -- Enable tracing
@@ -729,10 +1679,6 @@ cleanupController:
     # -- Traces receiver credentials
     creds: ''
 
-  logging:
-    # -- Logging format
-    format: text
-
   metering:
     # -- Disable metrics export
     disabled: false
@@ -744,3 +1690,306 @@ cleanupController:
     collector: ''
     # -- Otel collector credentials
     creds: ''
+
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
+
+# Reports controller configuration
+reportsController:
+
+  # -- Overrides features defined at the root level
+  featuresOverride: {}
+
+  # -- Enable reports controller.
+  enabled: true
+
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- Service account name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    coreClusterRole:
+      # -- Extra resource permissions to add in the core cluster role.
+      # This was introduced to avoid breaking change in the chart but should ideally be moved in `clusterRole.extraResources`.
+      # @default -- See [values.yaml](values.yaml)
+      extraResources:
+        - apiGroups:
+            - '*'
+          resources:
+            - '*'
+          verbs:
+            - get
+            - list
+            - watch
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+
+  image:
+    # -- Image registry
+    registry: ghcr.io
+    # -- Image repository
+    repository: kyverno/reports-controller
+    # -- (string) Image tag
+    # Defaults to appVersion in Chart.yaml if omitted
+    tag: ~
+    # -- Image pull policy
+    pullPolicy: IfNotPresent
+
+  # -- Image pull secrets
+  imagePullSecrets: []
+    # - secretName
+
+  # -- (int) Desired number of pods
+  replicas: ~
+
+  # -- The number of revisions to keep
+  revisionHistoryLimit: 10
+
+  # -- Additional labels to add to each pod
+  podLabels: {}
+  # example.com/label: foo
+
+  # -- Additional annotations to add to each pod
+  podAnnotations: {}
+  # example.com/annotation: foo
+
+  # -- Deployment update strategy.
+  # Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  # @default -- See [values.yaml](values.yaml)
+  updateStrategy:
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 40%
+    type: RollingUpdate
+
+  # -- Optional priority class
+  priorityClassName: ''
+
+  # -- Change `apiPriorityAndFairness` to `true` if you want to insulate the API calls made by Kyverno reports controller activities.
+  # This will help ensure Kyverno reports stability in busy clusters.
+  # Ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/
+  apiPriorityAndFairness: false
+
+  # -- Priority level configuration.
+  # The block is directly forwarded into the priorityLevelConfiguration, so you can use whatever specification you want.
+  # ref: https://kubernetes.io/docs/concepts/cluster-administration/flow-control/#prioritylevelconfiguration
+  # @default -- See [values.yaml](values.yaml)
+  priorityLevelConfigurationSpec:
+    type: Limited
+    limited:
+      nominalConcurrencyShares: 10
+      limitResponse:
+        queuing:
+          queueLengthLimit: 50
+        type: Queue
+
+  # -- Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
+  # Useful for situations like when you end up dealing with a custom CNI over Amazon EKS.
+  # Update the `dnsPolicy` accordingly as well to suit the host network mode.
+  hostNetwork: false
+
+  # -- `dnsPolicy` determines the manner in which DNS resolution happens in the cluster.
+  # In case of `hostNetwork: true`, usually, the `dnsPolicy` is suitable to be `ClusterFirstWithHostNet`.
+  # For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
+  dnsPolicy: ClusterFirst
+
+  # -- Extra arguments passed to the container on the command line
+  extraArgs: {}
+
+  # -- Additional container environment variables.
+  extraEnvVars: []
+  # Example setting proxy
+  # extraEnvVars:
+  # - name: HTTPS_PROXY
+  #   value: 'https://proxy.example.com:3128'
+
+  resources:
+    # -- Pod resource limits
+    limits:
+      memory: 128Mi
+    # -- Pod resource requests
+    requests:
+      cpu: 100m
+      memory: 64Mi
+
+  # -- Node labels for pod assignment
+  nodeSelector: {}
+
+  # -- List of node taints to tolerate
+  tolerations: []
+
+  antiAffinity:
+    # -- Pod antiAffinities toggle.
+    # Enabled by default but can be disabled if you want to schedule pods to the same node.
+    enabled: true
+
+  # -- Pod anti affinity constraints.
+  # @default -- See [values.yaml](values.yaml)
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/component
+                operator: In
+                values:
+                  - reports-controller
+          topologyKey: kubernetes.io/hostname
+
+  # -- Pod affinity constraints.
+  podAffinity: {}
+
+  # -- Node affinity constraints.
+  nodeAffinity: {}
+
+  # -- Topology spread constraints.
+  topologySpreadConstraints: []
+
+  # -- Security context for the pod
+  podSecurityContext: {}
+
+  # -- Security context for the containers
+  securityContext:
+    runAsNonRoot: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: true
+    capabilities:
+      drop:
+        - ALL
+    seccompProfile:
+      type: RuntimeDefault
+
+  podDisruptionBudget:
+    # -- Enable PodDisruptionBudget.
+    # Will always be enabled if replicas > 1. This non-declarative behavior should ideally be avoided, but changing it now would be breaking.
+    enabled: false
+    # -- Configures the minimum available pods for disruptions.
+    # Cannot be used if `maxUnavailable` is set.
+    minAvailable: 1
+    # -- Configures the maximum unavailable pods for disruptions.
+    # Cannot be used if `minAvailable` is set.
+    maxUnavailable:
+
+  # -- A writable volume to use for the TUF root initialization.
+  tufRootMountPath: /.sigstore
+
+  # -- Volume to be mounted in pods for TUF/cosign work.
+  sigstoreVolume:
+    emptyDir: {}
+
+  caCertificates:
+    # -- CA certificates to use with Kyverno deployments
+    # This value is expected to be one large string of CA certificates
+    data: ~
+    # -- Volume to be mounted for CA certificates
+    # Not used when `.Values.reportsController.caCertificates.data` is defined
+    volume: {}
+    # Example to use hostPath:
+    # hostPath:
+    #   path: /etc/pki/tls/ca-certificates.crt
+    #   type: File
+
+
+  metricsService:
+    # -- Create service.
+    create: true
+    # -- Service port.
+    # Metrics server will be exposed at this port.
+    port: 8000
+    # -- Service type.
+    type: ClusterIP
+    # -- (string) Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort: ~
+    # -- Service annotations.
+    annotations: {}
+
+  networkPolicy:
+
+    # -- When true, use a NetworkPolicy to allow ingress to the webhook
+    # This is useful on clusters using Calico and/or native k8s network policies in a default-deny setup.
+    enabled: false
+
+    # -- A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies.
+    ingressFrom: []
+
+  serviceMonitor:
+    # -- Create a `ServiceMonitor` to collect Prometheus metrics.
+    enabled: false
+    # -- Additional labels
+    additionalLabels: {}
+    # -- (string) Override namespace
+    namespace: ~
+    # -- Interval to scrape metrics
+    interval: 30s
+    # -- Timeout if metrics can't be retrieved in given time interval
+    scrapeTimeout: 25s
+    # -- Is TLS required for endpoint
+    secure: false
+    # -- TLS Configuration for endpoint
+    tlsConfig: {}
+    # -- RelabelConfigs to apply to samples before scraping
+    relabelings: []
+    # -- MetricRelabelConfigs to apply to samples before ingestion.
+    metricRelabelings: []
+
+  tracing:
+    # -- Enable tracing
+    enabled: false
+    # -- (string) Traces receiver address
+    address: ~
+    # -- (string) Traces receiver port
+    port: ~
+    # -- (string) Traces receiver credentials
+    creds: ~
+
+  metering:
+    # -- Disable metrics export
+    disabled: false
+    # -- Otel configuration, can be `prometheus` or `grpc`
+    config: prometheus
+    # -- Prometheus endpoint port
+    port: 8000
+    # -- (string) Otel collector endpoint
+    collector: ~
+    # -- (string) Otel collector credentials
+    creds: ~
+
+  # -- reportsController server port
+  # in case you are using hostNetwork: true, you might want to change the port the reportsController is listening to
+  server:
+    port: 9443
+
+  profiling:
+    # -- Enable profiling
+    enabled: false
+    # -- Profiling endpoint port
+    port: 6060
+    # -- Service type.
+    serviceType: ClusterIP
+    # -- Service node port.
+    # Only used if `type` is `NodePort`.
+    nodePort:
diff --git a/cmd/background-controller/main.go b/cmd/background-controller/main.go
new file mode 100644
index 000000000000..92b85bfcb026
--- /dev/null
+++ b/cmd/background-controller/main.go
@@ -0,0 +1,268 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/kyverno/kyverno/cmd/internal"
+	"github.com/kyverno/kyverno/pkg/background"
+	"github.com/kyverno/kyverno/pkg/client/clientset/versioned"
+	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
+	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	"github.com/kyverno/kyverno/pkg/config"
+	globalcontextcontroller "github.com/kyverno/kyverno/pkg/controllers/globalcontext"
+	policymetricscontroller "github.com/kyverno/kyverno/pkg/controllers/metrics/policy"
+	engineapi "github.com/kyverno/kyverno/pkg/engine/api"
+	"github.com/kyverno/kyverno/pkg/engine/apicall"
+	"github.com/kyverno/kyverno/pkg/engine/jmespath"
+	"github.com/kyverno/kyverno/pkg/event"
+	"github.com/kyverno/kyverno/pkg/globalcontext/store"
+	"github.com/kyverno/kyverno/pkg/leaderelection"
+	"github.com/kyverno/kyverno/pkg/logging"
+	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/policy"
+	"github.com/kyverno/kyverno/pkg/utils/generator"
+	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
+	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	kubeinformers "k8s.io/client-go/informers"
+	kyamlopenapi "sigs.k8s.io/kustomize/kyaml/openapi"
+)
+
+const (
+	resyncPeriod = 15 * time.Minute
+)
+
+func sanityChecks(apiserverClient apiserver.Interface) error {
+	return kubeutils.CRDsInstalled(apiserverClient, "updaterequests.kyverno.io")
+}
+
+func createrLeaderControllers(
+	eng engineapi.Engine,
+	genWorkers int,
+	kubeInformer kubeinformers.SharedInformerFactory,
+	kyvernoInformer kyvernoinformer.SharedInformerFactory,
+	kyvernoClient versioned.Interface,
+	dynamicClient dclient.Interface,
+	configuration config.Configuration,
+	metricsConfig metrics.MetricsConfigManager,
+	eventGenerator event.Interface,
+	jp jmespath.Interface,
+	backgroundScanInterval time.Duration,
+	urGenerator generator.UpdateRequestGenerator,
+) ([]internal.Controller, error) {
+	policyCtrl, err := policy.NewPolicyController(
+		kyvernoClient,
+		dynamicClient,
+		eng,
+		kyvernoInformer.Kyverno().V1().ClusterPolicies(),
+		kyvernoInformer.Kyverno().V1().Policies(),
+		kyvernoInformer.Kyverno().V2().UpdateRequests(),
+		configuration,
+		eventGenerator,
+		kubeInformer.Core().V1().Namespaces(),
+		logging.WithName("PolicyController"),
+		backgroundScanInterval,
+		metricsConfig,
+		jp,
+		urGenerator,
+	)
+	if err != nil {
+		return nil, err
+	}
+	backgroundController := background.NewController(
+		kyvernoClient,
+		dynamicClient,
+		eng,
+		kyvernoInformer.Kyverno().V1().ClusterPolicies(),
+		kyvernoInformer.Kyverno().V1().Policies(),
+		kyvernoInformer.Kyverno().V2().UpdateRequests(),
+		kubeInformer.Core().V1().Namespaces(),
+		eventGenerator,
+		configuration,
+		jp,
+	)
+	return []internal.Controller{
+		internal.NewController("policy-controller", policyCtrl, 2),
+		internal.NewController("background-controller", backgroundController, genWorkers),
+	}, err
+}
+
+func main() {
+	var (
+		genWorkers               int
+		maxQueuedEvents          int
+		omitEvents               string
+		maxAPICallResponseLength int64
+	)
+	flagset := flag.NewFlagSet("updaterequest-controller", flag.ExitOnError)
+	flagset.IntVar(&genWorkers, "genWorkers", 10, "Workers for the background controller.")
+	flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
+	flagset.StringVar(&omitEvents, "omitEvents", "", "Set this flag to a comma sperated list of PolicyViolation, PolicyApplied, PolicyError, PolicySkipped to disable events, e.g. --omitEvents=PolicyApplied,PolicyViolation")
+	flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 2*1000*1000, "Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended).")
+	// config
+	appConfig := internal.NewConfiguration(
+		internal.WithProfiling(),
+		internal.WithMetrics(),
+		internal.WithTracing(),
+		internal.WithKubeconfig(),
+		internal.WithPolicyExceptions(),
+		internal.WithConfigMapCaching(),
+		internal.WithDeferredLoading(),
+		internal.WithRegistryClient(),
+		internal.WithLeaderElection(),
+		internal.WithKyvernoClient(),
+		internal.WithDynamicClient(),
+		internal.WithKyvernoDynamicClient(),
+		internal.WithEventsClient(),
+		internal.WithApiServerClient(),
+		internal.WithMetadataClient(),
+		internal.WithFlagSets(flagset),
+	)
+	// parse flags
+	internal.ParseFlags(appConfig)
+	var wg sync.WaitGroup
+	func() {
+		// setup
+		signalCtx, setup, sdown := internal.Setup(appConfig, "kyverno-background-controller", false)
+		defer sdown()
+		var err error
+		bgscanInterval := time.Hour
+		val := os.Getenv("BACKGROUND_SCAN_INTERVAL")
+		if val != "" {
+			if bgscanInterval, err = time.ParseDuration(val); err != nil {
+				setup.Logger.Error(err, "failed to set the background scan interval")
+				os.Exit(1)
+			}
+		}
+		setup.Logger.V(2).Info("setting the background scan interval", "value", bgscanInterval.String())
+		// THIS IS AN UGLY FIX
+		// ELSE KYAML IS NOT THREAD SAFE
+		kyamlopenapi.Schema()
+		if err := sanityChecks(setup.ApiServerClient); err != nil {
+			setup.Logger.Error(err, "sanity checks failed")
+			os.Exit(1)
+		}
+		// informer factories
+		kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(setup.KyvernoClient, resyncPeriod)
+		polexCache, polexController := internal.NewExceptionSelector(setup.Logger, kyvernoInformer)
+		eventGenerator := event.NewEventGenerator(
+			setup.EventsClient,
+			logging.WithName("EventGenerator"),
+			maxQueuedEvents,
+			strings.Split(omitEvents, ",")...,
+		)
+		eventController := internal.NewController(
+			event.ControllerName,
+			eventGenerator,
+			event.Workers,
+		)
+		urGenerator := generator.NewUpdateRequestGenerator(setup.Configuration, setup.MetadataClient)
+		gcstore := store.New()
+		gceController := internal.NewController(
+			globalcontextcontroller.ControllerName,
+			globalcontextcontroller.NewController(
+				kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
+				setup.KyvernoDynamicClient,
+				setup.KyvernoClient,
+				gcstore,
+				eventGenerator,
+				maxAPICallResponseLength,
+				false,
+			),
+			globalcontextcontroller.Workers,
+		) // this controller only subscribe to events, nothing is returned...
+		policymetricscontroller.NewController(
+			setup.MetricsManager,
+			kyvernoInformer.Kyverno().V1().ClusterPolicies(),
+			kyvernoInformer.Kyverno().V1().Policies(),
+			&wg,
+		)
+		engine := internal.NewEngine(
+			signalCtx,
+			setup.Logger,
+			setup.Configuration,
+			setup.MetricsConfiguration,
+			setup.Jp,
+			setup.KyvernoDynamicClient,
+			setup.RegistryClient,
+			setup.ImageVerifyCacheClient,
+			setup.KubeClient,
+			setup.KyvernoClient,
+			setup.RegistrySecretLister,
+			apicall.NewAPICallConfiguration(maxAPICallResponseLength),
+			polexCache,
+			gcstore,
+		)
+		// start informers and wait for cache sync
+		if !internal.StartInformersAndWaitForCacheSync(signalCtx, setup.Logger, kyvernoInformer) {
+			setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+			os.Exit(1)
+		}
+		// setup leader election
+		le, err := leaderelection.New(
+			setup.Logger.WithName("leader-election"),
+			"kyverno-background-controller",
+			config.KyvernoNamespace(),
+			setup.LeaderElectionClient,
+			config.KyvernoPodName(),
+			internal.LeaderElectionRetryPeriod(),
+			func(ctx context.Context) {
+				logger := setup.Logger.WithName("leader")
+				// create leader factories
+				kubeInformer := kubeinformers.NewSharedInformerFactory(setup.KubeClient, resyncPeriod)
+				kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(setup.KyvernoClient, resyncPeriod)
+				// create leader controllers
+				leaderControllers, err := createrLeaderControllers(
+					engine,
+					genWorkers,
+					kubeInformer,
+					kyvernoInformer,
+					setup.KyvernoClient,
+					setup.KyvernoDynamicClient,
+					setup.Configuration,
+					setup.MetricsManager,
+					eventGenerator,
+					setup.Jp,
+					bgscanInterval,
+					urGenerator,
+				)
+				if err != nil {
+					logger.Error(err, "failed to create leader controllers")
+					os.Exit(1)
+				}
+				// start informers and wait for cache sync
+				if !internal.StartInformersAndWaitForCacheSync(signalCtx, logger, kyvernoInformer, kubeInformer) {
+					logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+					os.Exit(1)
+				}
+				// start leader controllers
+				var wg sync.WaitGroup
+				for _, controller := range leaderControllers {
+					controller.Run(signalCtx, logger.WithName("controllers"), &wg)
+				}
+				// wait all controllers shut down
+				wg.Wait()
+			},
+			nil,
+		)
+		if err != nil {
+			setup.Logger.Error(err, "failed to initialize leader election")
+			os.Exit(1)
+		}
+		// start non leader controllers
+		eventController.Run(signalCtx, setup.Logger, &wg)
+		gceController.Run(signalCtx, setup.Logger, &wg)
+		if polexController != nil {
+			polexController.Run(signalCtx, setup.Logger, &wg)
+		}
+		// start leader election
+		le.Run(signalCtx)
+	}()
+	// wait for everything to shut down and exit
+	wg.Wait()
+}
diff --git a/cmd/cleanup-controller/handlers/admission/handlers.go b/cmd/cleanup-controller/handlers/admission/handlers.go
deleted file mode 100644
index d2400ccdb2dd..000000000000
--- a/cmd/cleanup-controller/handlers/admission/handlers.go
+++ /dev/null
@@ -1,35 +0,0 @@
-package admission
-
-import (
-	"context"
-	"time"
-
-	"github.com/go-logr/logr"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
-	validation "github.com/kyverno/kyverno/pkg/validation/cleanuppolicy"
-	admissionv1 "k8s.io/api/admission/v1"
-)
-
-type handlers struct {
-	client dclient.Interface
-}
-
-func New(client dclient.Interface) *handlers {
-	return &handlers{
-		client: client,
-	}
-}
-
-func (h *handlers) Validate(ctx context.Context, logger logr.Logger, request *admissionv1.AdmissionRequest, _ time.Time) *admissionv1.AdmissionResponse {
-	policy, _, err := admissionutils.GetCleanupPolicies(request)
-	if err != nil {
-		logger.Error(err, "failed to unmarshal policies from admission request")
-		return admissionutils.Response(request.UID, err)
-	}
-	if err := validation.Validate(ctx, logger, h.client, policy); err != nil {
-		logger.Error(err, "policy validation errors")
-		return admissionutils.Response(request.UID, err)
-	}
-	return nil
-}
diff --git a/cmd/cleanup-controller/handlers/admission/policy/handlers.go b/cmd/cleanup-controller/handlers/admission/policy/handlers.go
new file mode 100644
index 000000000000..5444b0fe46c7
--- /dev/null
+++ b/cmd/cleanup-controller/handlers/admission/policy/handlers.go
@@ -0,0 +1,35 @@
+package policy
+
+import (
+	"context"
+	"time"
+
+	"github.com/go-logr/logr"
+	"github.com/kyverno/kyverno/pkg/clients/dclient"
+	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
+	validation "github.com/kyverno/kyverno/pkg/validation/cleanuppolicy"
+	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
+)
+
+type validationHandlers struct {
+	client dclient.Interface
+}
+
+func New(client dclient.Interface) *validationHandlers {
+	return &validationHandlers{
+		client: client,
+	}
+}
+
+func (h *validationHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, _ time.Time) handlers.AdmissionResponse {
+	policy, _, err := admissionutils.GetCleanupPolicies(request.AdmissionRequest)
+	if err != nil {
+		logger.Error(err, "failed to unmarshal policies from admission request")
+		return admissionutils.Response(request.UID, err)
+	}
+	if err := validation.Validate(ctx, logger, h.client, policy); err != nil {
+		logger.Error(err, "policy validation errors")
+		return admissionutils.Response(request.UID, err)
+	}
+	return admissionutils.ResponseSuccess(request.UID)
+}
diff --git a/cmd/cleanup-controller/handlers/admission/resource/handlers.go b/cmd/cleanup-controller/handlers/admission/resource/handlers.go
new file mode 100644
index 000000000000..2d99e1c95db7
--- /dev/null
+++ b/cmd/cleanup-controller/handlers/admission/resource/handlers.go
@@ -0,0 +1,41 @@
+package resource
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/go-logr/logr"
+	"github.com/kyverno/kyverno/pkg/auth/checker"
+	manager "github.com/kyverno/kyverno/pkg/controllers/ttl"
+	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
+	validation "github.com/kyverno/kyverno/pkg/validation/resource"
+	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type validationHandlers struct {
+	checker checker.AuthChecker
+}
+
+func New(checker checker.AuthChecker) *validationHandlers {
+	return &validationHandlers{
+		checker: checker,
+	}
+}
+
+func (h *validationHandlers) Validate(ctx context.Context, logger logr.Logger, request handlers.AdmissionRequest, _ time.Time) handlers.AdmissionResponse {
+	metadata, _, err := admissionutils.GetPartialObjectMetadatas(request.AdmissionRequest)
+	if err != nil {
+		logger.Error(err, "failed to unmarshal metadatas from admission request")
+		return admissionutils.ResponseSuccess(request.UID, err.Error())
+	}
+	if !manager.HasResourcePermissions(logger, schema.GroupVersionResource(request.AdmissionRequest.Resource), h.checker) {
+		logger.Info("doesn't have required permissions for deletion", "gvr", request.AdmissionRequest.Resource)
+	}
+	if err := validation.ValidateTtlLabel(ctx, metadata); err != nil {
+		logger.Error(err, "metadata validation errors")
+		return admissionutils.ResponseSuccess(request.UID, fmt.Sprintf("cleanup.kyverno.io/ttl label value cannot be parsed as any recognizable format (%s)", err.Error()))
+	}
+	return admissionutils.ResponseSuccess(request.UID)
+}
diff --git a/cmd/cleanup-controller/handlers/cleanup/condition.go b/cmd/cleanup-controller/handlers/cleanup/condition.go
deleted file mode 100644
index 1662e3ab8725..000000000000
--- a/cmd/cleanup-controller/handlers/cleanup/condition.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package cleanup
-
-import (
-	"github.com/go-logr/logr"
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
-	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
-	"github.com/kyverno/kyverno/pkg/engine/variables"
-	"github.com/kyverno/kyverno/pkg/engine/variables/operator"
-	"github.com/pkg/errors"
-)
-
-func checkAnyAllConditions(logger logr.Logger, ctx enginecontext.Interface, condition kyvernov2beta1.AnyAllConditions) (bool, error) {
-	for _, condition := range condition.AllConditions {
-		if passed, err := checkCondition(logger, ctx, condition); err != nil {
-			return false, err
-		} else if !passed {
-			return false, nil
-		}
-	}
-	for _, condition := range condition.AnyConditions {
-		if passed, err := checkCondition(logger, ctx, condition); err != nil {
-			return false, err
-		} else if passed {
-			return true, nil
-		}
-	}
-	return len(condition.AnyConditions) == 0, nil
-}
-
-func checkCondition(logger logr.Logger, ctx enginecontext.Interface, condition kyvernov2beta1.Condition) (bool, error) {
-	key, err := variables.SubstituteAllInPreconditions(logger, ctx, condition.GetKey())
-	if err != nil {
-		return false, errors.Wrapf(err, "failed to substitute variables in condition key")
-	}
-	value, err := variables.SubstituteAllInPreconditions(logger, ctx, condition.GetValue())
-	if err != nil {
-		return false, errors.Wrapf(err, "failed to substitute variables in condition value")
-	}
-	handler := operator.CreateOperatorHandler(logger, ctx, kyvernov1.ConditionOperator(condition.Operator))
-	if handler == nil {
-		return false, errors.Wrapf(err, "failed to create handler for condition operator")
-	}
-	return handler.Evaluate(key, value), nil
-}
diff --git a/cmd/cleanup-controller/handlers/cleanup/condition_test.go b/cmd/cleanup-controller/handlers/cleanup/condition_test.go
deleted file mode 100644
index aab19e7b27c0..000000000000
--- a/cmd/cleanup-controller/handlers/cleanup/condition_test.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package cleanup
-
-import (
-	"testing"
-
-	"github.com/go-logr/logr"
-	kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1"
-	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
-	"github.com/kyverno/kyverno/pkg/logging"
-	v1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-)
-
-func Test_checkCondition(t *testing.T) {
-	ctx := enginecontext.NewContext()
-	ctx.AddResource(map[string]interface{}{
-		"name": "dummy",
-	})
-	type args struct {
-		logger    logr.Logger
-		ctx       enginecontext.Interface
-		condition kyvernov2beta1.Condition
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    bool
-		wantErr bool
-	}{{
-		name: "basic",
-		args: args{
-			logger: logging.GlobalLogger(),
-			ctx:    ctx,
-			condition: kyvernov2beta1.Condition{
-				RawKey: &v1.JSON{
-					Raw: []byte(`"{{ request.object.name }}"`),
-				},
-				Operator: kyvernov2beta1.ConditionOperators["Equals"],
-				RawValue: &v1.JSON{
-					Raw: []byte(`"dummy"`),
-				},
-			},
-		},
-		want: true,
-	}}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			got, err := checkCondition(tt.args.logger, tt.args.ctx, tt.args.condition)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("checkCondition() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			if got != tt.want {
-				t.Errorf("checkCondition() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
diff --git a/cmd/cleanup-controller/handlers/cleanup/event.go b/cmd/cleanup-controller/handlers/cleanup/event.go
deleted file mode 100644
index bdc2a82ce71b..000000000000
--- a/cmd/cleanup-controller/handlers/cleanup/event.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package cleanup
-
-import (
-	"github.com/kyverno/kyverno/pkg/client/clientset/versioned/scheme"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	corev1 "k8s.io/api/core/v1"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
-	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
-	"k8s.io/client-go/tools/record"
-)
-
-func newRecorder(client dclient.Interface) record.EventRecorder {
-	utilruntime.Must(scheme.AddToScheme(scheme.Scheme))
-	eventBroadcaster := record.NewBroadcaster()
-	eventBroadcaster.StartStructuredLogging(0)
-	eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{Interface: client.GetEventsInterface()})
-	return eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: "cleanup-controller"})
-}
diff --git a/cmd/cleanup-controller/handlers/cleanup/handlers.go b/cmd/cleanup-controller/handlers/cleanup/handlers.go
deleted file mode 100644
index a9db141c0ad4..000000000000
--- a/cmd/cleanup-controller/handlers/cleanup/handlers.go
+++ /dev/null
@@ -1,201 +0,0 @@
-package cleanup
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/go-logr/logr"
-	kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1"
-	kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1"
-	kyvernov2alpha1listers "github.com/kyverno/kyverno/pkg/client/listers/kyverno/v2alpha1"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	"github.com/kyverno/kyverno/pkg/config"
-	enginecontext "github.com/kyverno/kyverno/pkg/engine/context"
-	"github.com/kyverno/kyverno/pkg/event"
-	controllerutils "github.com/kyverno/kyverno/pkg/utils/controller"
-	"github.com/kyverno/kyverno/pkg/utils/match"
-	"go.uber.org/multierr"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/util/sets"
-	corev1listers "k8s.io/client-go/listers/core/v1"
-	"k8s.io/client-go/tools/cache"
-	"k8s.io/client-go/tools/record"
-)
-
-type handlers struct {
-	client     dclient.Interface
-	cpolLister kyvernov2alpha1listers.ClusterCleanupPolicyLister
-	polLister  kyvernov2alpha1listers.CleanupPolicyLister
-	nsLister   corev1listers.NamespaceLister
-	recorder   record.EventRecorder
-}
-
-func New(
-	client dclient.Interface,
-	cpolLister kyvernov2alpha1listers.ClusterCleanupPolicyLister,
-	polLister kyvernov2alpha1listers.CleanupPolicyLister,
-	nsLister corev1listers.NamespaceLister,
-) *handlers {
-	return &handlers{
-		client:     client,
-		cpolLister: cpolLister,
-		polLister:  polLister,
-		nsLister:   nsLister,
-		recorder:   newRecorder(client),
-	}
-}
-
-func (h *handlers) Cleanup(ctx context.Context, logger logr.Logger, name string, _ time.Time, cfg config.Configuration) error {
-	logger.Info("cleaning up...")
-	defer logger.Info("done")
-	namespace, name, err := cache.SplitMetaNamespaceKey(name)
-	if err != nil {
-		return err
-	}
-	policy, err := h.lookupPolicy(namespace, name)
-	if err != nil {
-		return err
-	}
-	return h.executePolicy(ctx, logger, policy, cfg)
-}
-
-func (h *handlers) lookupPolicy(namespace, name string) (kyvernov2alpha1.CleanupPolicyInterface, error) {
-	if namespace == "" {
-		return h.cpolLister.Get(name)
-	} else {
-		return h.polLister.CleanupPolicies(namespace).Get(name)
-	}
-}
-
-func (h *handlers) executePolicy(ctx context.Context, logger logr.Logger, policy kyvernov2alpha1.CleanupPolicyInterface, cfg config.Configuration) error {
-	spec := policy.GetSpec()
-	kinds := sets.New(spec.MatchResources.GetKinds()...)
-	debug := logger.V(4)
-	var errs []error
-	for kind := range kinds {
-		debug := debug.WithValues("kind", kind)
-		debug.Info("processing...")
-		list, err := h.client.ListResource(ctx, "", kind, policy.GetNamespace(), nil)
-		if err != nil {
-			debug.Error(err, "failed to list resources")
-			errs = append(errs, err)
-		} else {
-			for i := range list.Items {
-				resource := list.Items[i]
-				namespace := resource.GetNamespace()
-				name := resource.GetName()
-				debug := debug.WithValues("name", name, "namespace", namespace)
-				if !controllerutils.IsManagedByKyverno(&resource) {
-					var nsLabels map[string]string
-					if namespace != "" {
-						ns, err := h.nsLister.Get(namespace)
-						if err != nil {
-							debug.Error(err, "failed to get namespace labels")
-							errs = append(errs, err)
-						}
-						nsLabels = ns.GetLabels()
-					}
-					// match namespaces
-					if err := match.CheckNamespace(policy.GetNamespace(), resource); err != nil {
-						debug.Info("resource namespace didn't match policy namespace", "result", err)
-					}
-					// match resource with match/exclude clause
-					matched := match.CheckMatchesResources(
-						resource,
-						spec.MatchResources,
-						nsLabels,
-						nil,
-						"",
-						// TODO(eddycharly): we don't have user info here, we should check that
-						// we don't have user conditions in the policy rule
-						kyvernov1beta1.RequestInfo{},
-						nil,
-					)
-					if matched != nil {
-						debug.Info("resource/match didn't match", "result", matched)
-						continue
-					}
-					if spec.ExcludeResources != nil {
-						excluded := match.CheckMatchesResources(
-							resource,
-							*spec.ExcludeResources,
-							nsLabels,
-							nil,
-							"",
-							// TODO(eddycharly): we don't have user info here, we should check that
-							// we don't have user conditions in the policy rule
-							kyvernov1beta1.RequestInfo{},
-							nil,
-						)
-						if excluded == nil {
-							debug.Info("resource/exclude matched")
-							continue
-						} else {
-							debug.Info("resource/exclude didn't match", "result", excluded)
-						}
-					}
-					// check conditions
-					if spec.Conditions != nil {
-						enginectx := enginecontext.NewContext()
-						if err := enginectx.AddTargetResource(resource.Object); err != nil {
-							debug.Error(err, "failed to add resource in context")
-							errs = append(errs, err)
-							continue
-						}
-						if err := enginectx.AddNamespace(resource.GetNamespace()); err != nil {
-							debug.Error(err, "failed to add namespace in context")
-							errs = append(errs, err)
-							continue
-						}
-						if err := enginectx.AddImageInfos(&resource, cfg); err != nil {
-							debug.Error(err, "failed to add image infos in context")
-							errs = append(errs, err)
-							continue
-						}
-						passed, err := checkAnyAllConditions(logger, enginectx, *spec.Conditions)
-						if err != nil {
-							debug.Error(err, "failed to check condition")
-							errs = append(errs, err)
-							continue
-						}
-						if !passed {
-							debug.Info("conditions did not pass")
-							continue
-						}
-					}
-					logger.WithValues("name", name, "namespace", namespace).Info("resource matched, it will be deleted...")
-					if err := h.client.DeleteResource(ctx, resource.GetAPIVersion(), resource.GetKind(), namespace, name, false); err != nil {
-						debug.Error(err, "failed to delete resource")
-						errs = append(errs, err)
-						h.createEvent(policy, resource, err)
-					} else {
-						debug.Info("deleted")
-						h.createEvent(policy, resource, nil)
-					}
-				}
-			}
-		}
-	}
-	return multierr.Combine(errs...)
-}
-
-func (h *handlers) createEvent(policy kyvernov2alpha1.CleanupPolicyInterface, resource unstructured.Unstructured, err error) {
-	var cleanuppol runtime.Object
-	if policy.GetNamespace() == "" {
-		cleanuppol = policy.(*kyvernov2alpha1.ClusterCleanupPolicy)
-	} else if policy.GetNamespace() != "" {
-		cleanuppol = policy.(*kyvernov2alpha1.CleanupPolicy)
-	}
-
-	switch err == nil {
-	case true:
-		msg := fmt.Sprintf("successfully cleaned up the target resource %v/%v/%v", resource.GetKind(), resource.GetNamespace(), resource.GetName())
-		h.recorder.Event(cleanuppol, corev1.EventTypeNormal, event.PolicyApplied.String(), msg)
-	case false:
-		msg := fmt.Sprintf("failed to clean up the target resource %v/%v/%v: %v", resource.GetKind(), resource.GetNamespace(), resource.GetName(), err.Error())
-		h.recorder.Event(cleanuppol, corev1.EventTypeWarning, event.PolicyError.String(), msg)
-	}
-}
diff --git a/cmd/cleanup-controller/main.go b/cmd/cleanup-controller/main.go
index 27abd745a9e3..a86812b75320 100644
--- a/cmd/cleanup-controller/main.go
+++ b/cmd/cleanup-controller/main.go
@@ -8,30 +8,45 @@ import (
 	"sync"
 	"time"
 
-	admissionhandlers "github.com/kyverno/kyverno/cmd/cleanup-controller/handlers/admission"
-	cleanuphandlers "github.com/kyverno/kyverno/cmd/cleanup-controller/handlers/cleanup"
+	"github.com/kyverno/kyverno/api/kyverno"
+	policyhandlers "github.com/kyverno/kyverno/cmd/cleanup-controller/handlers/admission/policy"
+	resourcehandlers "github.com/kyverno/kyverno/cmd/cleanup-controller/handlers/admission/resource"
 	"github.com/kyverno/kyverno/cmd/internal"
+	"github.com/kyverno/kyverno/pkg/auth/checker"
 	kyvernoinformer "github.com/kyverno/kyverno/pkg/client/informers/externalversions"
-	dynamicclient "github.com/kyverno/kyverno/pkg/clients/dynamic"
-	kubeclient "github.com/kyverno/kyverno/pkg/clients/kube"
-	kyvernoclient "github.com/kyverno/kyverno/pkg/clients/kyverno"
 	"github.com/kyverno/kyverno/pkg/config"
 	"github.com/kyverno/kyverno/pkg/controllers/certmanager"
 	"github.com/kyverno/kyverno/pkg/controllers/cleanup"
+	genericloggingcontroller "github.com/kyverno/kyverno/pkg/controllers/generic/logging"
 	genericwebhookcontroller "github.com/kyverno/kyverno/pkg/controllers/generic/webhook"
+	globalcontextcontroller "github.com/kyverno/kyverno/pkg/controllers/globalcontext"
+	ttlcontroller "github.com/kyverno/kyverno/pkg/controllers/ttl"
+	"github.com/kyverno/kyverno/pkg/event"
+	"github.com/kyverno/kyverno/pkg/globalcontext/store"
+	"github.com/kyverno/kyverno/pkg/informers"
 	"github.com/kyverno/kyverno/pkg/leaderelection"
-	"github.com/kyverno/kyverno/pkg/metrics"
+	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/tls"
+	"github.com/kyverno/kyverno/pkg/toggle"
+	kubeutils "github.com/kyverno/kyverno/pkg/utils/kube"
 	"github.com/kyverno/kyverno/pkg/webhooks"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
 	corev1 "k8s.io/api/core/v1"
+	apiserver "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	kubeinformers "k8s.io/client-go/informers"
 )
 
 const (
-	resyncPeriod          = 15 * time.Minute
-	webhookWorkers        = 2
-	webhookControllerName = "webhook-controller"
+	resyncPeriod                = 15 * time.Minute
+	webhookWorkers              = 2
+	policyWebhookControllerName = "policy-webhook-controller"
+	ttlWebhookControllerName    = "ttl-webhook-controller"
+)
+
+var (
+	caSecretName  string
+	tlsSecretName string
 )
 
 // TODO:
@@ -41,183 +56,324 @@ const (
 
 type probes struct{}
 
-func (probes) IsReady() bool {
+func (probes) IsReady(context.Context) bool {
 	return true
 }
 
-func (probes) IsLive() bool {
+func (probes) IsLive(context.Context) bool {
 	return true
 }
 
+func sanityChecks(apiserverClient apiserver.Interface) error {
+	return kubeutils.CRDsInstalled(apiserverClient, "cleanuppolicies.kyverno.io", "clustercleanuppolicies.kyverno.io")
+}
+
 func main() {
 	var (
-		leaderElectionRetryPeriod time.Duration
-		dumpPayload               bool
-		serverIP                  string
+		dumpPayload              bool
+		serverIP                 string
+		servicePort              int
+		webhookServerPort        int
+		maxQueuedEvents          int
+		interval                 time.Duration
+		renewBefore              time.Duration
+		maxAPICallResponseLength int64
 	)
 	flagset := flag.NewFlagSet("cleanup-controller", flag.ExitOnError)
 	flagset.BoolVar(&dumpPayload, "dumpPayload", false, "Set this flag to activate/deactivate debug mode.")
-	flagset.DurationVar(&leaderElectionRetryPeriod, "leaderElectionRetryPeriod", leaderelection.DefaultRetryPeriod, "Configure leader election retry period.")
 	flagset.StringVar(&serverIP, "serverIP", "", "IP address where Kyverno controller runs. Only required if out-of-cluster.")
+	flagset.IntVar(&servicePort, "servicePort", 443, "Port used by the Kyverno Service resource and for webhook configurations.")
+	flagset.IntVar(&webhookServerPort, "webhookServerPort", 9443, "Port used by the webhook server.")
+	flagset.IntVar(&maxQueuedEvents, "maxQueuedEvents", 1000, "Maximum events to be queued.")
+	flagset.DurationVar(&interval, "ttlReconciliationInterval", time.Minute, "Set this flag to set the interval after which the resource controller reconciliation should occur")
+	flagset.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
+	flagset.StringVar(&caSecretName, "caSecretName", "", "Name of the secret containing CA.")
+	flagset.StringVar(&tlsSecretName, "tlsSecretName", "", "Name of the secret containing TLS pair.")
+	flagset.DurationVar(&renewBefore, "renewBefore", 15*24*time.Hour, "The certificate renewal time before expiration")
+	flagset.Int64Var(&maxAPICallResponseLength, "maxAPICallResponseLength", 2*1000*1000, "Maximum allowed response size from API Calls. A value of 0 bypasses checks (not recommended).")
 	// config
 	appConfig := internal.NewConfiguration(
 		internal.WithProfiling(),
 		internal.WithMetrics(),
 		internal.WithTracing(),
 		internal.WithKubeconfig(),
+		internal.WithLeaderElection(),
+		internal.WithKyvernoClient(),
+		internal.WithKyvernoDynamicClient(),
+		internal.WithEventsClient(),
+		internal.WithConfigMapCaching(),
+		internal.WithDeferredLoading(),
+		internal.WithMetadataClient(),
+		internal.WithApiServerClient(),
 		internal.WithFlagSets(flagset),
 	)
 	// parse flags
 	internal.ParseFlags(appConfig)
-	// setup logger
-	// show version
-	// start profiling
-	// setup signals
-	// setup maxprocs
-	// setup metrics
-	ctx, logger, metricsConfig, sdown := internal.Setup()
-	defer sdown()
-	// create instrumented clients
-	kubeClient := internal.CreateKubernetesClient(logger, kubeclient.WithMetrics(metricsConfig, metrics.KubeClient), kubeclient.WithTracing())
-	leaderElectionClient := internal.CreateKubernetesClient(logger, kubeclient.WithMetrics(metricsConfig, metrics.KubeClient), kubeclient.WithTracing())
-	kyvernoClient := internal.CreateKyvernoClient(logger, kyvernoclient.WithMetrics(metricsConfig, metrics.KubeClient), kyvernoclient.WithTracing())
-	// setup leader election
-	le, err := leaderelection.New(
-		logger.WithName("leader-election"),
-		"kyverno-cleanup-controller",
-		config.KyvernoNamespace(),
-		leaderElectionClient,
-		config.KyvernoPodName(),
-		leaderElectionRetryPeriod,
-		func(ctx context.Context) {
-			logger := logger.WithName("leader")
-			// informer factories
-			kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod)
-			kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
-			kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
-			// listers
-			secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-			// controllers
-			renewer := tls.NewCertRenewer(
-				kubeClient.CoreV1().Secrets(config.KyvernoNamespace()),
-				secretLister,
-				tls.CertRenewalInterval,
-				tls.CAValidityDuration,
-				tls.TLSValidityDuration,
-				"",
-			)
-			certController := internal.NewController(
-				certmanager.ControllerName,
-				certmanager.NewController(
-					kubeKyvernoInformer.Core().V1().Secrets(),
-					renewer,
-				),
-				certmanager.Workers,
-			)
-			webhookController := internal.NewController(
-				webhookControllerName,
-				genericwebhookcontroller.NewController(
-					webhookControllerName,
-					kubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
-					kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
-					kubeKyvernoInformer.Core().V1().Secrets(),
-					config.CleanupValidatingWebhookConfigurationName,
-					config.CleanupValidatingWebhookServicePath,
+	var wg sync.WaitGroup
+	func() {
+		// setup
+		ctx, setup, sdown := internal.Setup(appConfig, "kyverno-cleanup-controller", false)
+		defer sdown()
+		if caSecretName == "" {
+			setup.Logger.Error(errors.New("exiting... caSecretName is a required flag"), "exiting... caSecretName is a required flag")
+			os.Exit(1)
+		}
+		if tlsSecretName == "" {
+			setup.Logger.Error(errors.New("exiting... tlsSecretName is a required flag"), "exiting... tlsSecretName is a required flag")
+			os.Exit(1)
+		}
+		if err := sanityChecks(setup.ApiServerClient); err != nil {
+			setup.Logger.Error(err, "sanity checks failed")
+			os.Exit(1)
+		}
+		// certificates informers
+		caSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), caSecretName, resyncPeriod)
+		tlsSecret := informers.NewSecretInformer(setup.KubeClient, config.KyvernoNamespace(), tlsSecretName, resyncPeriod)
+		if !informers.StartInformersAndWaitForCacheSync(ctx, setup.Logger, caSecret, tlsSecret) {
+			setup.Logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+			os.Exit(1)
+		}
+		checker := checker.NewSelfChecker(setup.KubeClient.AuthorizationV1().SelfSubjectAccessReviews())
+		// informer factories
+		kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod)
+		kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(setup.KyvernoClient, resyncPeriod)
+		// listers
+		nsLister := kubeInformer.Core().V1().Namespaces().Lister()
+		// log policy changes
+		genericloggingcontroller.NewController(
+			setup.Logger.WithName("cleanup-policy"),
+			"CleanupPolicy",
+			kyvernoInformer.Kyverno().V2().CleanupPolicies(),
+			genericloggingcontroller.CheckGeneration,
+		)
+		genericloggingcontroller.NewController(
+			setup.Logger.WithName("cluster-cleanup-policy"),
+			"ClusterCleanupPolicy",
+			kyvernoInformer.Kyverno().V2().ClusterCleanupPolicies(),
+			genericloggingcontroller.CheckGeneration,
+		)
+		eventGenerator := event.NewEventGenerator(
+			setup.EventsClient,
+			logging.WithName("EventGenerator"),
+			maxQueuedEvents,
+		)
+		eventController := internal.NewController(
+			event.ControllerName,
+			eventGenerator,
+			event.Workers,
+		)
+		gcstore := store.New()
+		gceController := internal.NewController(
+			globalcontextcontroller.ControllerName,
+			globalcontextcontroller.NewController(
+				kyvernoInformer.Kyverno().V2alpha1().GlobalContextEntries(),
+				setup.KyvernoDynamicClient,
+				setup.KyvernoClient,
+				gcstore,
+				eventGenerator,
+				maxAPICallResponseLength,
+				false,
+			),
+			globalcontextcontroller.Workers,
+		)
+		// start informers and wait for cache sync
+		if !internal.StartInformersAndWaitForCacheSync(ctx, setup.Logger, kubeInformer, kyvernoInformer) {
+			os.Exit(1)
+		}
+		// setup leader election
+		le, err := leaderelection.New(
+			setup.Logger.WithName("leader-election"),
+			"kyverno-cleanup-controller",
+			config.KyvernoNamespace(),
+			setup.LeaderElectionClient,
+			config.KyvernoPodName(),
+			internal.LeaderElectionRetryPeriod(),
+			func(ctx context.Context) {
+				logger := setup.Logger.WithName("leader")
+				// informer factories
+				kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(setup.KubeClient, resyncPeriod)
+				kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(setup.KyvernoClient, resyncPeriod)
+
+				cmResolver := internal.NewConfigMapResolver(ctx, setup.Logger, setup.KubeClient, resyncPeriod)
+
+				// controllers
+				renewer := tls.NewCertRenewer(
+					setup.KubeClient.CoreV1().Secrets(config.KyvernoNamespace()),
+					tls.CertRenewalInterval,
+					tls.CAValidityDuration,
+					tls.TLSValidityDuration,
+					renewBefore,
 					serverIP,
-					[]admissionregistrationv1.RuleWithOperations{{
-						Rule: admissionregistrationv1.Rule{
-							APIGroups:   []string{"kyverno.io"},
-							APIVersions: []string{"v2alpha1"},
-							Resources: []string{
-								"cleanuppolicies/*",
-								"clustercleanuppolicies/*",
+					config.KyvernoServiceName(),
+					config.DnsNames(config.KyvernoServiceName(), config.KyvernoNamespace()),
+					config.KyvernoNamespace(),
+					caSecretName,
+					tlsSecretName,
+				)
+				certController := internal.NewController(
+					certmanager.ControllerName,
+					certmanager.NewController(
+						caSecret,
+						tlsSecret,
+						renewer,
+						caSecretName,
+						tlsSecretName,
+						config.KyvernoNamespace(),
+					),
+					certmanager.Workers,
+				)
+				policyValidatingWebhookController := internal.NewController(
+					policyWebhookControllerName,
+					genericwebhookcontroller.NewController(
+						policyWebhookControllerName,
+						setup.KubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
+						kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
+						caSecret,
+						config.CleanupValidatingWebhookConfigurationName,
+						config.CleanupValidatingWebhookServicePath,
+						serverIP,
+						int32(servicePort),
+						int32(webhookServerPort),
+						nil,
+						[]admissionregistrationv1.RuleWithOperations{
+							{
+								Rule: admissionregistrationv1.Rule{
+									APIGroups:   []string{"kyverno.io"},
+									APIVersions: []string{"v2beta1"},
+									Resources: []string{
+										"cleanuppolicies/*",
+										"clustercleanuppolicies/*",
+									},
+								},
+								Operations: []admissionregistrationv1.OperationType{
+									admissionregistrationv1.Create,
+									admissionregistrationv1.Update,
+								},
+							},
+						},
+						genericwebhookcontroller.Fail,
+						genericwebhookcontroller.None,
+						setup.Configuration,
+						caSecretName,
+					),
+					webhookWorkers,
+				)
+				ttlWebhookController := internal.NewController(
+					ttlWebhookControllerName,
+					genericwebhookcontroller.NewController(
+						ttlWebhookControllerName,
+						setup.KubeClient.AdmissionregistrationV1().ValidatingWebhookConfigurations(),
+						kubeInformer.Admissionregistration().V1().ValidatingWebhookConfigurations(),
+						caSecret,
+						config.TtlValidatingWebhookConfigurationName,
+						config.TtlValidatingWebhookServicePath,
+						serverIP,
+						int32(servicePort),
+						int32(webhookServerPort),
+						&metav1.LabelSelector{
+							MatchExpressions: []metav1.LabelSelectorRequirement{
+								{
+									Key:      kyverno.LabelCleanupTtl,
+									Operator: metav1.LabelSelectorOpExists,
+								},
 							},
 						},
-						Operations: []admissionregistrationv1.OperationType{
-							admissionregistrationv1.Create,
-							admissionregistrationv1.Update,
+						[]admissionregistrationv1.RuleWithOperations{
+							{
+								Rule: admissionregistrationv1.Rule{
+									APIGroups:   []string{"*"},
+									APIVersions: []string{"*"},
+									Resources:   []string{"*"},
+								},
+								Operations: []admissionregistrationv1.OperationType{
+									admissionregistrationv1.Create,
+									admissionregistrationv1.Update,
+								},
+							},
 						},
-					}},
-					genericwebhookcontroller.Fail,
-					genericwebhookcontroller.None,
-				),
-				webhookWorkers,
-			)
-			cleanupController := internal.NewController(
-				cleanup.ControllerName,
-				cleanup.NewController(
-					kubeClient,
-					kyvernoInformer.Kyverno().V2alpha1().ClusterCleanupPolicies(),
-					kyvernoInformer.Kyverno().V2alpha1().CleanupPolicies(),
-					kubeInformer.Batch().V1().CronJobs(),
-					"https://"+config.KyvernoServiceName()+"."+config.KyvernoNamespace()+".svc",
-				),
-				cleanup.Workers,
-			)
-			// start informers and wait for cache sync
-			if !internal.StartInformersAndWaitForCacheSync(ctx, kyvernoInformer, kubeInformer, kubeKyvernoInformer) {
-				logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
-				os.Exit(1)
-			}
-			// start leader controllers
-			var wg sync.WaitGroup
-			certController.Run(ctx, logger, &wg)
-			webhookController.Run(ctx, logger, &wg)
-			cleanupController.Run(ctx, logger, &wg)
-			// wait all controllers shut down
-			wg.Wait()
-		},
-		nil,
-	)
-	if err != nil {
-		logger.Error(err, "failed to initialize leader election")
-		os.Exit(1)
-	}
-	dynamicClient := internal.CreateDynamicClient(logger, dynamicclient.WithMetrics(metricsConfig, metrics.KyvernoClient), dynamicclient.WithTracing())
-	dClient := internal.CreateDClient(logger, ctx, dynamicClient, kubeClient, 15*time.Minute)
-	// informer factories
-	kubeInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod)
-	kubeKyvernoInformer := kubeinformers.NewSharedInformerFactoryWithOptions(kubeClient, resyncPeriod, kubeinformers.WithNamespace(config.KyvernoNamespace()))
-	kyvernoInformer := kyvernoinformer.NewSharedInformerFactory(kyvernoClient, resyncPeriod)
-	// listers
-	secretLister := kubeKyvernoInformer.Core().V1().Secrets().Lister().Secrets(config.KyvernoNamespace())
-	cpolLister := kyvernoInformer.Kyverno().V2alpha1().ClusterCleanupPolicies().Lister()
-	polLister := kyvernoInformer.Kyverno().V2alpha1().CleanupPolicies().Lister()
-	nsLister := kubeInformer.Core().V1().Namespaces().Lister()
-	// start informers and wait for cache sync
-	if !internal.StartInformersAndWaitForCacheSync(ctx, kubeKyvernoInformer, kubeInformer, kyvernoInformer) {
-		os.Exit(1)
-	}
-	// create handlers
-	admissionHandlers := admissionhandlers.New(dClient)
-	cleanupHandlers := cleanuphandlers.New(dClient, cpolLister, polLister, nsLister)
-	// create server
-	server := NewServer(
-		func() ([]byte, []byte, error) {
-			secret, err := secretLister.Get(tls.GenerateTLSPairSecretName())
-			if err != nil {
-				return nil, nil, err
-			}
-			return secret.Data[corev1.TLSCertKey], secret.Data[corev1.TLSPrivateKeyKey], nil
-		},
-		admissionHandlers.Validate,
-		cleanupHandlers.Cleanup,
-		metricsConfig,
-		webhooks.DebugModeOptions{
-			DumpPayload: dumpPayload,
-		},
-		probes{},
-		config.NewDefaultConfiguration(),
-	)
-	// start server
-	server.Run(ctx.Done())
-	// wait for termination signal and run leader election loop
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		default:
-			le.Run(ctx)
+						genericwebhookcontroller.Ignore,
+						genericwebhookcontroller.None,
+						setup.Configuration,
+						caSecretName,
+					),
+					webhookWorkers,
+				)
+				cleanupController := internal.NewController(
+					cleanup.ControllerName,
+					cleanup.NewController(
+						setup.KyvernoDynamicClient,
+						setup.KyvernoClient,
+						kyvernoInformer.Kyverno().V2().ClusterCleanupPolicies(),
+						kyvernoInformer.Kyverno().V2().CleanupPolicies(),
+						nsLister,
+						setup.Configuration,
+						cmResolver,
+						setup.Jp,
+						eventGenerator,
+						gcstore,
+					),
+					cleanup.Workers,
+				)
+				ttlManagerController := internal.NewController(
+					ttlcontroller.ControllerName,
+					ttlcontroller.NewManager(
+						setup.MetadataClient,
+						setup.KubeClient.Discovery(),
+						checker,
+						interval,
+					),
+					ttlcontroller.Workers,
+				)
+				// start informers and wait for cache sync
+				if !internal.StartInformersAndWaitForCacheSync(ctx, logger, kyvernoInformer, kubeInformer) {
+					logger.Error(errors.New("failed to wait for cache sync"), "failed to wait for cache sync")
+					os.Exit(1)
+				}
+				// start leader controllers
+				var wg sync.WaitGroup
+				certController.Run(ctx, logger, &wg)
+				policyValidatingWebhookController.Run(ctx, logger, &wg)
+				ttlWebhookController.Run(ctx, logger, &wg)
+				cleanupController.Run(ctx, logger, &wg)
+				ttlManagerController.Run(ctx, logger, &wg)
+				wg.Wait()
+			},
+			nil,
+		)
+		if err != nil {
+			setup.Logger.Error(err, "failed to initialize leader election")
+			os.Exit(1)
 		}
-	}
+		// create handlers
+		policyHandlers := policyhandlers.New(setup.KyvernoDynamicClient)
+		resourceHandlers := resourcehandlers.New(checker)
+		// create server
+		server := NewServer(
+			func() ([]byte, []byte, error) {
+				secret, err := tlsSecret.Lister().Secrets(config.KyvernoNamespace()).Get(tlsSecretName)
+				if err != nil {
+					return nil, nil, err
+				}
+				return secret.Data[corev1.TLSCertKey], secret.Data[corev1.TLSPrivateKeyKey], nil
+			},
+			policyHandlers.Validate,
+			resourceHandlers.Validate,
+			setup.MetricsManager,
+			webhooks.DebugModeOptions{
+				DumpPayload: dumpPayload,
+			},
+			probes{},
+			setup.Configuration,
+		)
+		// start server
+		server.Run()
+		defer server.Stop()
+		// start non leader controllers
+		eventController.Run(ctx, setup.Logger, &wg)
+		gceController.Run(ctx, setup.Logger, &wg)
+		// start leader election
+		le.Run(ctx)
+	}()
+	// wait for everything to shut down and exit
+	wg.Wait()
 }
diff --git a/cmd/cleanup-controller/server.go b/cmd/cleanup-controller/server.go
index f4b2027b5d7a..211d7929552c 100644
--- a/cmd/cleanup-controller/server.go
+++ b/cmd/cleanup-controller/server.go
@@ -8,21 +8,19 @@ import (
 
 	"github.com/go-logr/logr"
 	"github.com/julienschmidt/httprouter"
+	"github.com/kyverno/kyverno/cmd/internal"
 	"github.com/kyverno/kyverno/pkg/config"
-	"github.com/kyverno/kyverno/pkg/controllers/cleanup"
 	"github.com/kyverno/kyverno/pkg/logging"
 	"github.com/kyverno/kyverno/pkg/metrics"
 	"github.com/kyverno/kyverno/pkg/webhooks"
 	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
-	admissionv1 "k8s.io/api/admission/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 )
 
 type Server interface {
 	// Run TLS server in separate thread and returns control immediately
-	Run(<-chan struct{})
+	Run()
 	// Stop TLS server and returns control after the server is shut down
-	Stop(context.Context)
+	Stop()
 }
 
 type server struct {
@@ -30,42 +28,29 @@ type server struct {
 }
 
 type (
-	TlsProvider       = func() ([]byte, []byte, error)
-	ValidationHandler = func(context.Context, logr.Logger, *admissionv1.AdmissionRequest, time.Time) *admissionv1.AdmissionResponse
-	CleanupHandler    = func(context.Context, logr.Logger, string, time.Time, config.Configuration) error
+	TlsProvider            = func() ([]byte, []byte, error)
+	ValidationHandler      = func(context.Context, logr.Logger, handlers.AdmissionRequest, time.Time) handlers.AdmissionResponse
+	LabelValidationHandler = func(context.Context, logr.Logger, handlers.AdmissionRequest, time.Time) handlers.AdmissionResponse
+	CleanupHandler         = func(context.Context, logr.Logger, string, time.Time, config.Configuration) error
 )
 
 type Probes interface {
-	IsReady() bool
-	IsLive() bool
+	IsReady(context.Context) bool
+	IsLive(context.Context) bool
 }
 
 // NewServer creates new instance of server accordingly to given configuration
 func NewServer(
 	tlsProvider TlsProvider,
 	validationHandler ValidationHandler,
-	cleanupHandler CleanupHandler,
+	labelValidationHandler LabelValidationHandler,
 	metricsConfig metrics.MetricsConfigManager,
 	debugModeOpts webhooks.DebugModeOptions,
 	probes Probes,
 	cfg config.Configuration,
 ) Server {
 	policyLogger := logging.WithName("cleanup-policy")
-	cleanupLogger := logging.WithName("cleanup")
-	cleanupHandlerFunc := func(w http.ResponseWriter, r *http.Request) {
-		policy := r.URL.Query().Get("policy")
-		logger := cleanupLogger.WithValues("policy", policy)
-		err := cleanupHandler(r.Context(), logger, policy, time.Now(), cfg)
-		if err == nil {
-			w.WriteHeader(http.StatusOK)
-		} else {
-			if apierrors.IsNotFound(err) {
-				w.WriteHeader(http.StatusNotFound)
-			} else {
-				w.WriteHeader(http.StatusInternalServerError)
-			}
-		}
-	}
+	labelLogger := logging.WithName("ttl-label")
 	mux := httprouter.New()
 	mux.HandlerFunc(
 		"POST",
@@ -75,21 +60,23 @@ func NewServer(
 			WithSubResourceFilter().
 			WithMetrics(policyLogger, metricsConfig.Config(), metrics.WebhookValidating).
 			WithAdmission(policyLogger.WithName("validate")).
-			ToHandlerFunc(),
+			ToHandlerFunc("VALIDATE"),
 	)
 	mux.HandlerFunc(
-		"GET",
-		cleanup.CleanupServicePath,
-		handlers.HttpHandler(cleanupHandlerFunc).
-			WithMetrics(policyLogger).
-			WithTrace("CLEANUP").
-			ToHandlerFunc(),
+		"POST",
+		config.TtlValidatingWebhookServicePath,
+		handlers.FromAdmissionFunc("VALIDATE", labelValidationHandler).
+			WithDump(debugModeOpts.DumpPayload).
+			WithSubResourceFilter().
+			WithMetrics(labelLogger, metricsConfig.Config(), metrics.WebhookValidating).
+			WithAdmission(labelLogger.WithName("validate")).
+			ToHandlerFunc("VALIDATE"),
 	)
 	mux.HandlerFunc("GET", config.LivenessServicePath, handlers.Probe(probes.IsLive))
 	mux.HandlerFunc("GET", config.ReadinessServicePath, handlers.Probe(probes.IsReady))
 	return &server{
 		server: &http.Server{
-			Addr: ":9443",
+			Addr: ":" + internal.CleanupServerPort(),
 			TLSConfig: &tls.Config{
 				GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 					certPem, keyPem, err := tlsProvider()
@@ -103,6 +90,15 @@ func NewServer(
 					return &pair, nil
 				},
 				MinVersion: tls.VersionTLS12,
+				CipherSuites: []uint16{
+					// AEADs w/ ECDHE
+					tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+					tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+					tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+					tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+				},
 			},
 			Handler:           mux,
 			ReadTimeout:       30 * time.Second,
@@ -114,7 +110,7 @@ func NewServer(
 	}
 }
 
-func (s *server) Run(stopCh <-chan struct{}) {
+func (s *server) Run() {
 	go func() {
 		if err := s.server.ListenAndServeTLS("", ""); err != nil {
 			logging.Error(err, "failed to start server")
@@ -122,7 +118,9 @@ func (s *server) Run(stopCh <-chan struct{}) {
 	}()
 }
 
-func (s *server) Stop(ctx context.Context) {
+func (s *server) Stop() {
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
 	err := s.server.Shutdown(ctx)
 	if err != nil {
 		err = s.server.Close()
diff --git a/cmd/cli/kubectl-kyverno/README.md b/cmd/cli/kubectl-kyverno/README.md
new file mode 100644
index 000000000000..c02615104656
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/README.md
@@ -0,0 +1,66 @@
+# kubectl-kyverno
+
+![logo](../../../img/Kyverno_Horizontal.png)
+
+This repository contains [Kyverno CLI](https://kyverno.io/docs/kyverno-cli/) source code.
+
+The CLI can be used as a standalone tool or as a kubectl plugin.
+
+## 📙 Documentation
+
+👉 **[Installation](https://kyverno.io/docs/kyverno-cli/#building-and-installing-the-cli)**
+
+👉 **[Installation](https://kyverno.io/docs/kyverno-cli/#cli-commands)**
+
+👉 **[Reference docs](../../../docs/user/cli/commands/kyverno.md)**
+
+## 🔧 GitHub Action
+
+You can install the Kyverno CLI in your GitHub workflows easily using the [kyverno-cli-installer](https://github.com/kyverno/action-install-cli) GitHub action.
+
+Check the documentation in the [GitHub repository](https://github.com/kyverno/action-install-cli) or [GitHub marketplace](https://github.com/marketplace/actions/kyverno-cli-installer).
+
+## 🙋‍♂️ Help
+
+Use `kyverno --help` to list supported commands and their corresponding flags:
+
+```shell
+To enable experimental commands, KYVERNO_EXPERIMENTAL should be configured with true or 1.
+
+Usage:
+  kyverno [command]
+
+Available Commands:
+  apply       Applies policies on resources.
+  completion  Generate the autocompletion script for the specified shell
+  create      Provides a command-line interface to help with the creation of various Kyverno resources.
+  docs        Generates documentation.
+  help        Help about any command
+  jp          Provides a command-line interface to JMESPath, enhanced with Kyverno specific custom functions.
+  test        Run tests from directory.
+  version     Shows current version of kyverno.
+
+Flags:
+      --add_dir_header                   If true, adds the file directory to the header of the log messages
+      --alsologtostderr                  log to standard error as well as files (no effect when -logtostderr=true)
+  -h, --help                             help for kyverno
+      --log_backtrace_at traceLocation   when logging hits line file:N, emit a stack trace (default :0)
+      --log_dir string                   If non-empty, write log files in this directory (no effect when -logtostderr=true)
+      --log_file string                  If non-empty, use this log file (no effect when -logtostderr=true)
+      --log_file_max_size uint           Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
+      --logtostderr                      log to standard error instead of files (default true)
+      --one_output                       If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
+      --skip_headers                     If true, avoid header prefixes in the log messages
+      --skip_log_headers                 If true, avoid headers when opening log files (no effect when -logtostderr=true)
+      --stderrthreshold severity         logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
+  -v, --v Level                          number for the log level verbosity
+      --vmodule moduleSpec               comma-separated list of pattern=N settings for file-filtered logging
+```
+
+To enable experimental commands, `KYVERNO_EXPERIMENTAL` should be configured with true or 1.
+
+## License
+
+Copyright 2023, the Kyverno project. All rights reserved. Kyverno is licensed under the [Apache License 2.0](LICENSE).
+
+Kyverno is a [Cloud Native Computing Foundation (CNCF) Incubating project](https://www.cncf.io/projects/) and was contributed by [Nirmata](https://nirmata.com/?utm_source=github&utm_medium=repository).
diff --git a/cmd/cli/kubectl-kyverno/_testdata/apply/test-1/policy.yaml b/cmd/cli/kubectl-kyverno/_testdata/apply/test-1/policy.yaml
new file mode 100644
index 000000000000..62ce291ff9d9
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/apply/test-1/policy.yaml
@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-policy
+  annotations:
+    policies.kyverno.io/title: "Lol Security Standards"
+    policies.kyverno.io/category: "Lol Security Standards"
+    policies.kyverno.io/severity: "high"
+    policies.kyverno.io/subject: "Pod"
+spec:
+  background: true
+  failurePolicy: Fail
+  rules:
+    - name: restrict-lol-annotation
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+      validate:
+        message: >-
+          If "lol" annotation is present then
+          its value can be only one of "such lol", "much annotation".
+        pattern:
+          # syntax refdoc: https://kyverno.io/docs/writing-policies/validate/#anchors
+          =(metadata):
+            =(annotations):
+              =(lol): such lol | much annotation
diff --git a/cmd/cli/kubectl-kyverno/_testdata/apply/test-1/resources.yaml b/cmd/cli/kubectl-kyverno/_testdata/apply/test-1/resources.yaml
new file mode 100644
index 000000000000..d672c501d28a
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/apply/test-1/resources.yaml
@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lol
+  name: i-will-fail-the-policy-check
+spec:
+  selector:
+    matchLabels:
+      app: lol
+  template:
+    metadata:
+      labels:
+        app: lol
+      annotations: {}
+    spec:
+      containers:
+      - image: woot
+        name: woot
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lol
+  name: no-annotations-pass
+spec:
+  selector:
+    matchLabels:
+      app: lol
+  template:
+    metadata:
+      labels:
+        app: lol
+#      annotations:
+    spec:
+      containers:
+      - image: woot
+        name: woot
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lol
+  name: empty-object-pass
+spec:
+  selector:
+    matchLabels:
+      app: lol
+  template:
+    metadata:
+      labels:
+        app: lol
+      annotations: {}
+    spec:
+      containers:
+      - image: woot
+        name: woot
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lol
+  name: correct-lol-annotation-pass
+spec:
+  selector:
+    matchLabels:
+      app: lol
+  template:
+    metadata:
+      labels:
+        app: lol
+      annotations:
+        lol: much annotation
+    spec:
+      containers:
+      - image: woot
+        name: woot
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lol
+  name: unrelated-annotation-pass
+spec:
+  selector:
+    matchLabels:
+      app: lol
+  template:
+    metadata:
+      labels:
+        app: lol
+      annotations:
+        much: unrelated
+    spec:
+      containers:
+      - image: woot
+        name: woot
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/apply/test-2/policy.yaml b/cmd/cli/kubectl-kyverno/_testdata/apply/test-2/policy.yaml
new file mode 100644
index 000000000000..62ce291ff9d9
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/apply/test-2/policy.yaml
@@ -0,0 +1,28 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: test-policy
+  annotations:
+    policies.kyverno.io/title: "Lol Security Standards"
+    policies.kyverno.io/category: "Lol Security Standards"
+    policies.kyverno.io/severity: "high"
+    policies.kyverno.io/subject: "Pod"
+spec:
+  background: true
+  failurePolicy: Fail
+  rules:
+    - name: restrict-lol-annotation
+      match:
+        any:
+        - resources:
+            kinds:
+            - Pod
+      validate:
+        message: >-
+          If "lol" annotation is present then
+          its value can be only one of "such lol", "much annotation".
+        pattern:
+          # syntax refdoc: https://kyverno.io/docs/writing-policies/validate/#anchors
+          =(metadata):
+            =(annotations):
+              =(lol): such lol | much annotation
diff --git a/cmd/cli/kubectl-kyverno/_testdata/apply/test-2/resources.yaml b/cmd/cli/kubectl-kyverno/_testdata/apply/test-2/resources.yaml
new file mode 100644
index 000000000000..53bd03e686f8
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/apply/test-2/resources.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: lol
+  name: i-will-fail-the-policy-check
+spec:
+  selector:
+    matchLabels:
+      app: lol
+  template:
+    metadata:
+      labels:
+        app: lol
+      annotations:
+        lol: not much
+    spec:
+      containers:
+      - image: woot
+        name: woot
diff --git a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml
new file mode 100644
index 000000000000..8dc690aa2ffa
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception-and-policy.yaml
@@ -0,0 +1,42 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  name: delta-exception
+  namespace: delta
+spec:
+  exceptions:
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        namespaces:
+        - delta
+        names:
+        - important-tool*
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: require-ns-purpose-label
+  namespace: test
+spec:
+  rules:
+  - name: require-ns-purpose-label
+    match:
+      any:
+      - resources:
+          kinds:
+          - Namespace
+    validate:
+      validationFailureAction: Enforce
+      message: "You must have label 'purpose' with value 'production' set on all new namespaces."
+      pattern:
+        metadata:
+          labels:
+            purpose: production
diff --git a/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception.yaml b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception.yaml
new file mode 100644
index 000000000000..93dd81a83c81
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/exceptions/exception.yaml
@@ -0,0 +1,21 @@
+apiVersion: kyverno.io/v2
+kind: PolicyException
+metadata:
+  name: delta-exception
+  namespace: delta
+spec:
+  exceptions:
+  - policyName: disallow-host-namespaces
+    ruleNames:
+    - host-namespaces
+    - autogen-host-namespaces
+  match:
+    any:
+    - resources:
+        kinds:
+        - Pod
+        - Deployment
+        namespaces:
+        - delta
+        names:
+        - important-tool*
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/artifacthub-pkg.yml b/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/artifacthub-pkg.yml
new file mode 100644
index 000000000000..36b85beda255
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+name: add-network-policy
+version: 1.0.0
+displayName: Add Network Policy
+createdAt: "2023-04-10T19:47:15.000Z"
+description: >-
+  By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-network-policy/add-network-policy.yaml
+  ```
+keywords:
+  - kyverno
+  - Multi-Tenancy
+  - EKS Best Practices
+readme: |
+  By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Multi-Tenancy, EKS Best Practices"
+  kyverno/subject: "NetworkPolicy"
+digest: d01c7f24cf053549534bba5b98cc479ee0e5a4a01f810b8a45d11c86b26d846e
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/chainsaw-test.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/chainsaw-test.yaml
new file mode 100644
index 000000000000..e31c8a89a23f
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/chainsaw-test.yaml
@@ -0,0 +1,27 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: add-network-policy
+spec:
+  steps:
+  - name: step-01
+    try:
+    - apply:
+        file: old-resource.yaml
+  - name: step-02
+    try:
+    - apply:
+        file: ../add-network-policy.yaml
+    - assert:
+        file: policy-ready.yaml
+  - name: step-03
+    try:
+    - apply:
+        file: ../.kyverno-test/resource.yaml
+  - name: step-04
+    try:
+    - assert:
+        file: ../.kyverno-test/generatedResource.yaml
+    - error:
+        file: notGeneratedResource.yaml
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/policy-ready.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/policy-ready.yaml
new file mode 100644
index 000000000000..cf7a8d910252
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-invalid/policy-ready.yaml
@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: add-networkpolicy
+status:
+  ready: true
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/artifacthub-pkg.yml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/artifacthub-pkg.yml
new file mode 100644
index 000000000000..36b85beda255
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+name: add-network-policy
+version: 1.0.0
+displayName: Add Network Policy
+createdAt: "2023-04-10T19:47:15.000Z"
+description: >-
+  By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-network-policy/add-network-policy.yaml
+  ```
+keywords:
+  - kyverno
+  - Multi-Tenancy
+  - EKS Best Practices
+readme: |
+  By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Multi-Tenancy, EKS Best Practices"
+  kyverno/subject: "NetworkPolicy"
+digest: d01c7f24cf053549534bba5b98cc479ee0e5a4a01f810b8a45d11c86b26d846e
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml
new file mode 100644
index 000000000000..2b9137d16944
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/cpol-pod-requirements.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+  name: pod-requirements
+spec:
+  admission: true
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-account
+    validate:
+      validationFailureAction: Audit
+      message: User pods must include an account for charging
+      pattern:
+        metadata:
+          labels:
+            account: '*?'
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-limits
+    validate:
+      validationFailureAction: Audit
+      message: CPU and memory resource requests and limits are required for user pods
+      pattern:
+        spec:
+          containers:
+          - resources:
+              limits:
+                cpu: ?*
+                memory: ?*
+              requests:
+                cpu: ?*
+                memory: ?*
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/artifacthub-pkg.yml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/artifacthub-pkg.yml
new file mode 100644
index 000000000000..36b85beda255
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/artifacthub-pkg.yml
@@ -0,0 +1,22 @@
+name: add-network-policy
+version: 1.0.0
+displayName: Add Network Policy
+createdAt: "2023-04-10T19:47:15.000Z"
+description: >-
+  By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
+install: |-
+  ```shell
+  kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/best-practices/add-network-policy/add-network-policy.yaml
+  ```
+keywords:
+  - kyverno
+  - Multi-Tenancy
+  - EKS Best Practices
+readme: |
+  By default, Kubernetes allows communications across all Pods within a cluster. The NetworkPolicy resource and a CNI plug-in that supports NetworkPolicy must be used to restrict communications. A default NetworkPolicy should be configured for each Namespace to default deny all ingress and egress traffic to the Pods in the Namespace. Application teams can then configure additional NetworkPolicy resources to allow desired traffic to application Pods from select sources. This policy will create a new NetworkPolicy resource named `default-deny` which will deny all traffic anytime a new Namespace is created.
+  
+  Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/
+annotations:
+  kyverno/category: "Multi-Tenancy, EKS Best Practices"
+  kyverno/subject: "NetworkPolicy"
+digest: d01c7f24cf053549534bba5b98cc479ee0e5a4a01f810b8a45d11c86b26d846e
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml
new file mode 100644
index 000000000000..2b9137d16944
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies-mixed/nested/cpol-pod-requirements.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+  name: pod-requirements
+spec:
+  admission: true
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-account
+    validate:
+      validationFailureAction: Audit
+      message: User pods must include an account for charging
+      pattern:
+        metadata:
+          labels:
+            account: '*?'
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-limits
+    validate:
+      validationFailureAction: Audit
+      message: CPU and memory resource requests and limits are required for user pods
+      pattern:
+        spec:
+          containers:
+          - resources:
+              limits:
+                cpu: ?*
+                memory: ?*
+              requests:
+                cpu: ?*
+                memory: ?*
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml
new file mode 100644
index 000000000000..34b5af5fd12f
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/check-image.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+  name: check-image
+spec:
+  admission: true
+  background: true
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: verify-signature
+    verifyImages:
+    - attestors:
+      - count: 1
+        entries:
+        - keys:
+            publicKeys: |-
+              -----BEGIN PUBLIC KEY-----
+              MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFN8gGjQua2g8N+aLx3Eff+/j5HxL
+              bV+H2z50/0A4d8XyMUvizPQBtcgei43pqLj1850m3wSwI08z2+6zT1QaEg==
+              -----END PUBLIC KEY-----
+            signatureAlgorithm: sha256
+      imageReferences:
+      - '*'
+      mutateDigest: true
+      required: true
+      useCache: true
+      verifyDigest: true
+      validationFailureAction: Audit
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml
new file mode 100644
index 000000000000..c6bc85b85fe7
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-limit-configmap-for-sa.yaml
@@ -0,0 +1,59 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    kyverno.io/kubernetes-version: 1.20-1.23
+    kyverno.io/kyverno-version: 1.6.0
+    policies.kyverno.io/category: Other
+    policies.kyverno.io/description: This policy shows how to restrict certain operations
+      on specific ConfigMaps by ServiceAccounts.
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ConfigMap, ServiceAccount
+    policies.kyverno.io/title: Limit ConfigMap to ServiceAccounts for a User
+  name: limit-configmap-for-sa
+spec:
+  admission: true
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - ConfigMap
+        subjects:
+        - kind: ServiceAccount
+          name: developer
+          namespace: kube-system
+      - resources:
+          kinds:
+          - ConfigMap
+        subjects:
+        - kind: ServiceAccount
+          name: another-developer
+          namespace: another-namespace
+    name: limit-configmap-for-sa-developer
+    preconditions:
+      all:
+      - key: '{{request.object.metadata.namespace}}'
+        operator: AllIn
+        value:
+        - any-namespace
+        - another-namespace
+      - key: '{{request.object.metadata.name}}'
+        operator: AllIn
+        value:
+        - any-configmap-name-good
+        - another-configmap-name
+    validate:
+      deny:
+        conditions:
+          all:
+          - key: '{{request.operation}}'
+            operator: In
+            value:
+            - UPDATE
+            - CREATE
+      message: '{{request.object.metadata.namespace}}/{{request.object.kind}}/{{request.object.metadata.name}}
+        resource is protected. Admin or allowed users can change the resource'
+      validationFailureAction: Audit
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml
new file mode 100644
index 000000000000..095c6af952da
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/cpol-pod-requirements.yaml
@@ -0,0 +1,45 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+  name: pod-requirements
+spec:
+  admission: true
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-account
+    validate:
+      validationFailureAction: Audit
+      message: User pods must include an account for charging
+      pattern:
+        metadata:
+          labels:
+            account: '*?'
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-limits
+    validate:
+      message: CPU and memory resource requests and limits are required for user pods
+      pattern:
+        spec:
+          containers:
+          - resources:
+              limits:
+                cpu: ?*
+                memory: ?*
+              requests:
+                cpu: ?*
+                memory: ?*
+      validationFailureAction: Audit
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml
new file mode 100644
index 000000000000..2f0347e5c534
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/invalid-schema.yaml
@@ -0,0 +1,44 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: pod-requirements
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+spec:
+  background: false
+  rules:
+  - name: pods-require-account
+    match:
+      resources:
+        kinds:
+        - Pod
+      namespaceSelector:
+        matchLabels:
+          istio/rev: "default"
+    validate:
+      validationFailureAction: audit
+      message: User pods must include an account for charging
+      pattern:
+        metadata:
+          labels:
+            account: "*?"
+  - name: pods-require-limits
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      validationFailureAction: audit
+      message: CPU and memory resource requests and limits are required for user pods
+      pattern:
+        spec:
+          containers:
+          - resources:
+              requests:
+                memory: "?*"
+                cpu: "?*"
+              limits:
+                memory: "?*"
+                cpu: "?*"
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml
new file mode 100644
index 000000000000..03981491074d
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/pol-pod-requirements.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+  name: pod-requirements
+  namespace: test
+spec:
+  admission: true
+  background: false
+  rules:
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-account
+    validate:
+      validationFailureAction: Audit
+      message: User pods must include an account for charging
+      pattern:
+        metadata:
+          labels:
+            account: '*?'
+  - match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    name: pods-require-limits
+    validate:
+      validationFailureAction: Audit
+      message: CPU and memory resource requests and limits are required for user pods
+      pattern:
+        spec:
+          containers:
+          - resources:
+              limits:
+                cpu: ?*
+                memory: ?*
+              requests:
+                cpu: ?*
+                memory: ?*
diff --git a/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
new file mode 100644
index 000000000000..6007ec75a432
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/policies/restricted.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  annotations:
+    pod-policies.kyverno.io/autogen-controllers: none
+    policies.kyverno.io/category: Pod Security Standards (Restricted)
+    policies.kyverno.io/severity: medium
+  name: psa
+spec:
+  background: true
+  rules:
+  - name: restricted
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+    validate:
+      podSecurity:
+        level: restricted
+        version: latest
+      validationFailureAction: Audit
diff --git a/cmd/cli/kubectl-kyverno/_testdata/resources/all-unique.yaml b/cmd/cli/kubectl-kyverno/_testdata/resources/all-unique.yaml
new file mode 100644
index 000000000000..57f0ea57e15c
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/resources/all-unique.yaml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod1
+  namespace: foo
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod2
+  namespace: foo
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod2
+  namespace: bar
+
+---
+# will not be used
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod3
+  namespace: bar
+
+---
+# will not be used
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myapp-pod2 # reuse the name of the pod to check duplicate check
+
+---
+# will not be used
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myns
diff --git a/cmd/cli/kubectl-kyverno/_testdata/resources/namespace.yaml b/cmd/cli/kubectl-kyverno/_testdata/resources/namespace.yaml
new file mode 100644
index 000000000000..1f9532b30dee
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/resources/namespace.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: prod-bus-app1
+  labels:
+    purpose: production
+spec: {}
+status: {}
diff --git a/cmd/cli/kubectl-kyverno/_testdata/resources/with-duplicate.yaml b/cmd/cli/kubectl-kyverno/_testdata/resources/with-duplicate.yaml
new file mode 100644
index 000000000000..59e6a59d4995
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/resources/with-duplicate.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod1
+  namespace: foo
+
+---
+# duplicate pod
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod1
+  namespace: foo
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod2
+  namespace: foo
+
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod2
+  namespace: bar
+
+---
+# will not be used
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod3
+  namespace: bar
+
+---
+# will not be used
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myapp-pod2 # reuse the name of the pod to check duplicate check
+
+---
+# will not be used
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: myns
diff --git a/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml b/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml
new file mode 100644
index 000000000000..d6f24ea5f6d8
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/tests/test-1/kyverno-test.yaml
@@ -0,0 +1,16 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: test-registry
+policies:
+- image-example.yaml
+resources:
+- resources.yaml
+results:
+- kind: Pod
+  policy: images
+  resources:
+  - test-pod-with-non-root-user-image
+  - test-pod-with-trusted-registry
+  result: pass
+  rule: only-allow-trusted-images
diff --git a/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml b/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml
new file mode 100644
index 000000000000..ff39c9c38705
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/tests/test-2/kyverno-test.yaml
@@ -0,0 +1,23 @@
+apiVersion: cli.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: add-quota
+policies:
+- policy.yaml
+resources:
+- resource.yaml
+results:
+- generatedResource: generatedLimitRange.yaml
+  kind: Namespace
+  policy: add-ns-quota
+  resources:
+  - hello-world-namespace
+  result: pass
+  rule: generate-limitrange
+- generatedResource: generatedResourceQuota.yaml
+  kind: Namespace
+  policy: add-ns-quota
+  resources:
+  - hello-world-namespace
+  result: pass
+  rule: generate-resourcequota
diff --git a/cmd/cli/kubectl-kyverno/_testdata/tests/test-invalid/kyverno-test-invalid.yaml b/cmd/cli/kubectl-kyverno/_testdata/tests/test-invalid/kyverno-test-invalid.yaml
new file mode 100644
index 000000000000..20e9ff3feaa8
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/tests/test-invalid/kyverno-test-invalid.yaml
@@ -0,0 +1 @@
+foo: bar
diff --git a/cmd/cli/kubectl-kyverno/_testdata/user-infos/invalid.yaml b/cmd/cli/kubectl-kyverno/_testdata/user-infos/invalid.yaml
new file mode 100644
index 000000000000..7daacd5db8d3
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/user-infos/invalid.yaml
@@ -0,0 +1 @@
+foo: bar
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/user-infos/valid.yaml b/cmd/cli/kubectl-kyverno/_testdata/user-infos/valid.yaml
new file mode 100644
index 000000000000..0fd5541e98a4
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/user-infos/valid.yaml
@@ -0,0 +1,4 @@
+clusterRoles:
+- cluster-admin
+userInfo:
+  username: molybdenum@somecorp.com
\ No newline at end of file
diff --git a/cmd/cli/kubectl-kyverno/_testdata/values/bad-format.yaml b/cmd/cli/kubectl-kyverno/_testdata/values/bad-format.yaml
new file mode 100644
index 000000000000..c8ac2511fc1d
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/values/bad-format.yaml
@@ -0,0 +1,6 @@
+foo: bar
+
+namespaceSelector:
+  - name: test1
+    labels:
+      foo.com/managed-state: managed
diff --git a/cmd/cli/kubectl-kyverno/_testdata/values/global-values.yaml b/cmd/cli/kubectl-kyverno/_testdata/values/global-values.yaml
new file mode 100644
index 000000000000..92d4a627e4be
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/values/global-values.yaml
@@ -0,0 +1,3 @@
+globalValues:
+  foo: bar
+  baz: jee
diff --git a/cmd/cli/kubectl-kyverno/_testdata/values/limit-configmap-for-sa.yaml b/cmd/cli/kubectl-kyverno/_testdata/values/limit-configmap-for-sa.yaml
new file mode 100644
index 000000000000..11acf1a8722f
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/_testdata/values/limit-configmap-for-sa.yaml
@@ -0,0 +1,14 @@
+policies:
+  - name: limit-configmap-for-sa
+    resources:
+      - name: any-configmap-name-good
+        values:
+          request.operation: UPDATE
+      - name: any-configmap-name-bad
+        values:
+          request.operation: UPDATE
+
+namespaceSelector:
+  - name: test1
+    labels:
+      foo.com/managed-state: managed
diff --git a/cmd/cli/kubectl-kyverno/apis/doc.go b/cmd/cli/kubectl-kyverno/apis/doc.go
new file mode 100644
index 000000000000..7b272ed51457
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/doc.go
@@ -0,0 +1 @@
+package apis
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/doc.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/doc.go
new file mode 100755
index 000000000000..52fa4db9f73d
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/doc.go
@@ -0,0 +1,3 @@
+// +groupName=cli.kyverno.io
+
+package v1alpha1
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/namespace_selector.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/namespace_selector.go
new file mode 100644
index 000000000000..6cc9c76b90ea
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/namespace_selector.go
@@ -0,0 +1,10 @@
+package v1alpha1
+
+// NamespaceSelector declares labels for a given namespace
+type NamespaceSelector struct {
+	// Name is the namespace name
+	Name string `json:"name"`
+
+	// Labels are the labels for the given namespace
+	Labels map[string]string `json:"labels"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/policy.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/policy.go
new file mode 100644
index 000000000000..1c5ce5740d5f
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/policy.go
@@ -0,0 +1,13 @@
+package v1alpha1
+
+// Policy declares values for a given policy
+type Policy struct {
+	// Name is the policy name
+	Name string `json:"name"`
+
+	// Resources are values for specific resources
+	Resources []Resource `json:"resources,omitempty"`
+
+	// Rules are values for specific policy rules
+	Rules []Rule `json:"rules,omitempty"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/resource.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/resource.go
new file mode 100644
index 000000000000..a78551b721a7
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/resource.go
@@ -0,0 +1,13 @@
+package v1alpha1
+
+// Resource declares values for a given resource
+type Resource struct {
+	// Name is the name of the resource
+	Name string `json:"name"`
+
+	// Values are the values for the given resource
+	// +kubebuilder:validation:Type=object
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Schemaless
+	Values map[string]interface{} `json:"values,omitempty"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/rule.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/rule.go
new file mode 100644
index 000000000000..3a20f2720d62
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/rule.go
@@ -0,0 +1,19 @@
+package v1alpha1
+
+// Rule declares values for a given policy rule
+type Rule struct {
+	// Name is the name of the ppolicy rule
+	Name string `json:"name"`
+
+	// Values are the values for the given policy rule
+	// +kubebuilder:validation:Type=object
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Schemaless
+	Values map[string]interface{} `json:"values,omitempty"`
+
+	// ForeachValues are the foreach values for the given policy rule
+	// +kubebuilder:validation:Type=object
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Schemaless
+	ForeachValues map[string][]interface{} `json:"foreachValues,omitempty"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/subresource.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/subresource.go
new file mode 100644
index 000000000000..de55e3272fbc
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/subresource.go
@@ -0,0 +1,14 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Subresource declares subresource/parent resource mapping
+type Subresource struct {
+	// Subresource declares the subresource api
+	Subresource metav1.APIResource `json:"subresource"`
+
+	// ParentResource declares the parent resource api
+	ParentResource metav1.APIResource `json:"parentResource"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/test.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/test.go
new file mode 100644
index 000000000000..e5c6f35b2ef6
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/test.go
@@ -0,0 +1,66 @@
+package v1alpha1
+
+import (
+	"github.com/kyverno/kyverno-json/pkg/apis/policy/v1alpha1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope="Cluster"
+
+// Test declares a test
+type Test struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// Name is the name of the test.
+	// This field is deprecated, use `metadata.name` instead
+	Name string `json:"name,omitempty"`
+
+	// Policies are the policies to be used in the test
+	Policies []string `json:"policies,omitempty"`
+
+	// Resources are the resource to be used in the test
+	Resources []string `json:"resources,omitempty"`
+
+	// Variables is the values to be used in the test
+	Variables string `json:"variables,omitempty"`
+
+	// UserInfo is the user info to be used in the test
+	UserInfo string `json:"userinfo,omitempty"`
+
+	// Results are the results to be checked in the test
+	Results []TestResult `json:"results,omitempty"`
+
+	// Checks are the verifications to be checked in the test
+	Checks []CheckResult `json:"checks,omitempty"`
+
+	// Values are the values to be used in the test
+	Values *ValuesSpec `json:"values,omitempty"`
+
+	// Policy Exceptions are the policy exceptions to be used in the test
+	PolicyExceptions []string `json:"exceptions,omitempty"`
+}
+
+type CheckResult struct {
+	// Match tells how to match relevant rule responses
+	Match CheckMatch `json:"match,omitempty"`
+
+	// Assert contains assertion to be performed on the relevant rule responses
+	Assert v1alpha1.Any `json:"assert"`
+
+	// Error contains negative assertion to be performed on the relevant rule responses
+	Error v1alpha1.Any `json:"error"`
+}
+
+type CheckMatch struct {
+	// Resource filters engine responses
+	Resource *v1alpha1.Any `json:"resource,omitempty"`
+
+	// Policy filters engine responses
+	Policy *v1alpha1.Any `json:"policy,omitempty"`
+
+	// Rule filters rule responses
+	Rule *v1alpha1.Any `json:"rule,omitempty"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/test_result.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/test_result.go
new file mode 100644
index 000000000000..8784cb8aef5b
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/test_result.go
@@ -0,0 +1,65 @@
+package v1alpha1
+
+import (
+	policyreportv1alpha2 "github.com/kyverno/kyverno/api/policyreport/v1alpha2"
+)
+
+// TestResultBase declares a test result base fields
+type TestResultBase struct {
+	// Policy mentions the name of the policy.
+	Policy string `json:"policy"`
+
+	// Rule mentions the name of the rule in the policy.
+	// It's required in case policy is a kyverno policy.
+	// +optional
+	Rule string `json:"rule,omitempty"`
+
+	// IsValidatingAdmissionPolicy indicates if the policy is a validating admission policy.
+	// It's required in case policy is a validating admission policy.
+	// +optional
+	IsValidatingAdmissionPolicy bool `json:"isValidatingAdmissionPolicy,omitempty"`
+
+	// Result mentions the result that the user is expecting.
+	// Possible values are pass, fail and skip.
+	Result policyreportv1alpha2.PolicyResult `json:"result"`
+
+	// Kind mentions the kind of the resource on which the policy is to be applied.
+	Kind string `json:"kind"`
+
+	// PatchedResource takes a resource configuration file in yaml format from
+	// the user to compare it against the Kyverno mutated resource configuration.
+	PatchedResource string `json:"patchedResource,omitempty"`
+
+	// GeneratedResource takes a resource configuration file in yaml format from
+	// the user to compare it against the Kyverno generated resource configuration.
+	GeneratedResource string `json:"generatedResource,omitempty"`
+
+	// CloneSourceResource takes the resource configuration file in yaml format
+	// from the user which is meant to be cloned by the generate rule.
+	CloneSourceResource string `json:"cloneSourceResource,omitempty"`
+}
+
+// TestResultBase declares a test result deprecated fields
+type TestResultDeprecated struct {
+	// Status mentions the status that the user is expecting.
+	// Possible values are pass, fail and skip.
+	// This is DEPRECATED, use `Result` instead.
+	Status policyreportv1alpha2.PolicyResult `json:"status,omitempty"`
+
+	// Resource mentions the name of the resource on which the policy is to be applied.
+	// This is DEPRECATED, use `Resources` instead.
+	Resource string `json:"resource,omitempty"`
+
+	// Namespace mentions the namespace of the policy which has namespace scope.
+	// This is DEPRECATED, use a name in the form `/` for policies and/or resources instead.
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// TestResultBase declares a test result
+type TestResult struct {
+	TestResultBase       `json:",inline,omitempty"`
+	TestResultDeprecated `json:",inline,omitempty"`
+
+	// Resources gives us the list of resources on which the policy is going to be applied.
+	Resources []string `json:"resources"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/user_info.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/user_info.go
new file mode 100644
index 000000000000..f4f539867ca8
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/user_info.go
@@ -0,0 +1,19 @@
+package v1alpha1
+
+import (
+	kyvernov2 "github.com/kyverno/kyverno/api/kyverno/v2"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope="Cluster"
+
+// UserInfo declares user infos to be loaded by the Kyverno CLI
+type UserInfo struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// RequestInfo declares user infos
+	kyvernov2.RequestInfo `json:",inline"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/values.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/values.go
new file mode 100644
index 000000000000..eb2c23281724
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/values.go
@@ -0,0 +1,18 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +kubebuilder:object:root=true
+// +kubebuilder:resource:scope="Cluster"
+
+// Values declares values to be loaded by the Kyverno CLI
+type Values struct {
+	metav1.TypeMeta   `json:",inline,omitempty"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	// ValuesSpec declares values
+	ValuesSpec `json:",inline"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apis/v1alpha1/values_spec.go b/cmd/cli/kubectl-kyverno/apis/v1alpha1/values_spec.go
new file mode 100644
index 000000000000..de6d828340e0
--- /dev/null
+++ b/cmd/cli/kubectl-kyverno/apis/v1alpha1/values_spec.go
@@ -0,0 +1,19 @@
+package v1alpha1
+
+// ValuesSpec declares values to be loaded by the Kyverno CLI
+type ValuesSpec struct {
+	// GlobalValues are the global values
+	// +kubebuilder:validation:Type=object
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Schemaless
+	GlobalValues map[string]interface{} `json:"globalValues,omitempty"`
+
+	// Policies are the policy values
+	Policies []Policy `json:"policies,omitempty"`
+
+	// NamespaceSelectors are the namespace labels
+	NamespaceSelectors []NamespaceSelector `json:"namespaceSelector,omitempty"`
+
+	// Subresources are the subresource/parent resource mappings
+	Subresources []Subresource `json:"subresources,omitempty"`
+}
diff --git a/cmd/cli/kubectl-kyverno/apply/apply_command.go b/cmd/cli/kubectl-kyverno/apply/apply_command.go
deleted file mode 100644
index 777fe737821c..000000000000
--- a/cmd/cli/kubectl-kyverno/apply/apply_command.go
+++ /dev/null
@@ -1,562 +0,0 @@
-package apply
-
-import (
-	"context"
-	"fmt"
-	"net/url"
-	"os"
-	"path/filepath"
-	"sort"
-	"strings"
-	"time"
-
-	"github.com/go-git/go-billy/v5/memfs"
-	kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1"
-	"github.com/kyverno/kyverno/api/kyverno/v1beta1"
-	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/common"
-	sanitizederror "github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/sanitizedError"
-	"github.com/kyverno/kyverno/cmd/cli/kubectl-kyverno/utils/store"
-	"github.com/kyverno/kyverno/pkg/clients/dclient"
-	"github.com/kyverno/kyverno/pkg/config"
-	"github.com/kyverno/kyverno/pkg/openapi"
-	policy2 "github.com/kyverno/kyverno/pkg/policy"
-	gitutils "github.com/kyverno/kyverno/pkg/utils/git"
-	"github.com/spf13/cobra"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
-	"sigs.k8s.io/controller-runtime/pkg/log"
-	yaml1 "sigs.k8s.io/yaml"
-)
-
-type Resource struct {
-	Name   string            `json:"name"`
-	Values map[string]string `json:"values"`
-}
-
-type Policy struct {
-	Name      string     `json:"name"`
-	Resources []Resource `json:"resources"`
-}
-
-type Values struct {
-	Policies []Policy `json:"policies"`
-}
-
-type SkippedInvalidPolicies struct {
-	skipped []string
-	invalid []string
-}
-
-type ApplyCommandConfig struct {
-	KubeConfig      string
-	Context         string
-	Namespace       string
-	MutateLogPath   string
-	VariablesString string
-	ValuesFile      string
-	UserInfoPath    string
-	Cluster         bool
-	PolicyReport    bool
-	Stdin           bool
-	RegistryAccess  bool
-	AuditWarn       bool
-	ResourcePaths   []string
-	PolicyPaths     []string
-	GitBranch       string
-	warnExitCode    int
-}
-
-var (
-	applyHelp = `
-
-To apply on a resource:
-        kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resource1 --resource=/path/to/resource2
-
-To apply on a folder of resources:
-        kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --resource=/path/to/resources/
-
-To apply on a cluster:
-        kyverno apply /path/to/policy.yaml /path/to/folderOfPolicies --cluster
-
-To apply policies from a gitSourceURL on a cluster:
-	Example: Taking github.com as a gitSourceURL here. Some other standards  gitSourceURL are: gitlab.com , bitbucket.org , etc.
-		kyverno apply https://github.com/kyverno/policies/openshift/ --git-branch main --cluster
-
-To apply policy with variables:
-
-	1. To apply single policy with variable on single resource use flag "set".
-		Example:
-		kyverno apply /path/to/policy.yaml --resource /path/to/resource.yaml --set =,=
-
-	2. To apply multiple policy with variable on multiple resource use flag "values_file".
-		Example:
-		kyverno apply /path/to/policy1.yaml /path/to/policy2.yaml --resource /path/to/resource1.yaml --resource /path/to/resource2.yaml -f /path/to/value.yaml
-
-		Format of value.yaml:
-
-		policies:
-			- name: 
-				rules:
-					- name: 
-						values:
-							: 
-							: 
-					- name: 
-						values:
-							: 
-							: 
-				resources:
-				- name: 
-					values:
-						: 
-						: 
-				- name: 
-					values:
-						: 
-						: 
-			- name: 
-				resources:
-				- name: 
-					values:
-						: 
-						: 
-				- name: 
-					values:
-						: 
-						: 
-		namespaceSelector:
-			- name: 
-			labels:
-